448 lines
15 KiB
JSON
448 lines
15 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2024-10-01",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Inside the Dragon: DragonForce Ransomware Group",
|
||
|
"publish_timestamp": "1727768670",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1727768647",
|
||
|
"uuid": "b0454a71-cd8b-440b-bf27-1a52800b2579",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:ransomware=\"dragonforce\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#064d00",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Accounts - T1078.002\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#065100",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"LSASS Memory - T1003.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Domain Trust Discovery - T1482\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Remote Desktop Protocol - T1021.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"local": false,
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"local": false,
|
||
|
"name": "type:OSINT",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"local": false,
|
||
|
"name": "osint:lifetime=\"perpetual\"",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"local": false,
|
||
|
"name": "tlp:white",
|
||
|
"relationship_type": ""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"local": false,
|
||
|
"name": "tlp:clear",
|
||
|
"relationship_type": ""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1727768071",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "bc4108ce-6ab3-46bf-9660-abe2953aaae1",
|
||
|
"value": "185.73.125.8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1727768071",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "1ac8f757-48c0-4377-b186-ef9b6f724282",
|
||
|
"value": "94.232.46.202"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2024-09-21T00:00:00+00:00",
|
||
|
"last_seen": "2024-09-22T00:00:00+00:00",
|
||
|
"timestamp": "1727768260",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "bfadeb19-9035-47d4-aa22-5abb35a91fdc",
|
||
|
"value": "69.4.234.20"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2024-09-21T00:00:00+00:00",
|
||
|
"timestamp": "1727768199",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "6fb948dc-8913-4f6b-8c27-3dbec5ef230b",
|
||
|
"value": "2.147.68.96"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2024-09-21T00:00:00+00:00",
|
||
|
"timestamp": "1727768155",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "55d95782-914b-412f-9c4e-eef4136e574d",
|
||
|
"value": "185.59.221.75"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1727767860",
|
||
|
"uuid": "cc3855a9-263e-402f-b535-c688a3c2d31f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1727767860",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "eb705e35-3409-4c24-9670-1be84f17e601",
|
||
|
"value": "aug\\socks.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1727767860",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "582dd176-2e0f-423e-8433-7999124f3bc6",
|
||
|
"value": "97b70e89b5313612a9e7a339ee82ab67"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1727767876",
|
||
|
"uuid": "cdebca2f-e52c-4480-96b5-aa1731bd0a36",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1727767877",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "b043dd1b-33a2-4dec-acc4-6b0a523efe70",
|
||
|
"value": "%TEMP%\\2\\a65.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1727767877",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "d60c78b1-c7ab-45ae-9d28-c4ad4cacc5c1",
|
||
|
"value": "a50637f5f7a3e462135c0ae7c7af0d91"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1727767897",
|
||
|
"uuid": "cb6e1061-d5cf-45b8-962a-fa19e5003e25",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1727767897",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "91ffa876-9808-4c34-83be-5a60a1770640",
|
||
|
"value": "%TEMP%\\2\\netscanold.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1727767897",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "017bd1e4-390f-4bcd-9b46-107563f11cb8",
|
||
|
"value": "bb7c575e798ff5243b5014777253635d"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1727767923",
|
||
|
"uuid": "62ec8caf-574b-4557-a081-16947aa7cc65",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1727767923",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "af357cbc-96a9-47e4-8e62-cf9c62b7d8b8",
|
||
|
"value": "df.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1727767923",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b9ae93f7-1f79-4dea-a17f-344d5e206893",
|
||
|
"value": "c111476f7b394776b515249ecb6b20e6"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Report object to describe a report along with its metadata.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1727767975",
|
||
|
"uuid": "1dd4ddb9-6077-43d2-9851-3638242b81ef",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1727767975",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "464cd9cf-83af-4c02-a93c-5189ba70537d",
|
||
|
"value": "https://www.group-ib.com/blog/dragonforce-ransomware/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1727767975",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3ae6a250-3fcb-4798-beca-294c3d9c1776",
|
||
|
"value": "In light of the escalating frequency and complexity of ransomware attacks, are security leaders confident in their organization\u2019s defenses? According to Group-IB\u2019s Hi-Tech Crime Trends 2023/2024 Report, ransomware will have an increasingly significant impact in 2024 and beyond. Key trends driving this include the expansion of the Ransomware-as-a-Service (RaaS) market, the proliferation of stolen data on Dedicated Leak Sites (DLS), and a rise in affiliate programs.\r\n\r\nFurthermore, the evolution of ransomware variants is outpacing the advancements in cyber defence, leaving organizations unprepared for the threats on the horizon. To stay ahead, businesses must stay updated on the most pressing cybersecurity threats, and prominent threat actors that have recently emerged and continue to pose significant risks this year and in the future.\r\n\r\nIn this blog, we delve into the inner workings of the DragonForce ransomware group. Discovered in August 2023, DragonForce has been targeting companies in critical sectors using a variant of a leaked LockBit3.0 builder, and more recently in July 2024 with their own variant of ransomware."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1727767975",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a85061a5-32df-4045-ab40-2ffaea309c5b",
|
||
|
"value": "Blog"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Cobalt Strike Beacon Config",
|
||
|
"meta-category": "file",
|
||
|
"name": "cs-beacon-config",
|
||
|
"template_uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1727768390",
|
||
|
"uuid": "7bb4f0fd-392c-4fb0-b4a4-dc836f754841",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1727768390",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "2258a88f-2eeb-4ddf-b2b5-083ca09a8bdf",
|
||
|
"value": "a50637f5f7a3e462135c0ae7c7af0d91"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1727768390",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "764205c5-e17e-4a1b-adf4-3e547f3d362c",
|
||
|
"value": "185.73.125.8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "http-url",
|
||
|
"timestamp": "1727768390",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d69fb381-da41-42b2-a998-d44461f3fa08",
|
||
|
"value": "http://185.73.125.8/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|