2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2016-10-05" ,
"extends_uuid" : "" ,
"info" : "OSINT - Hades Locker Ransomware Mimics Locky" ,
"publish_timestamp" : "1479192568" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1479192544" ,
"uuid" : "582aae88-202c-45ef-b8e9-4e61950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#006c6c" ,
"local" : "0" ,
"name" : "ecsirt:malicious-code=\"ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00acd1" ,
"local" : "0" ,
"name" : "veris:action:malware:variety=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#2c4f00" ,
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#420053" ,
"local" : "0" ,
"name" : "ms-caro-malware:malware-type=\"Ransom\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#39b300" ,
"local" : "0" ,
"name" : "enisa:nefarious-activity-abuse=\"ransomware\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192215" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "582aae97-bce0-478f-8b51-9912950d210f" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/hades-locker-ransomware-mimics-locky"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192231" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "582aaea7-f16c-415a-b96b-4dbc950d210f" ,
"value" : "Proofpoint discovered another new ransomware strain on October 4, called Hades Locker, which mimics Locky\u00e2\u20ac\u2122s ransom message. Hades Locker appears to be an evolution of Zyklon Locker and Wildfire Locker [1] which we observed using the same sending botnet (Kelihos [2]) earlier this year. The recently documented CryptFile2 [3] and MarsJoke [4] campaigns also used the same sending spam botnet and similar distribution techniques (transportation-related email lures). However, while CryptFile2 and MarsJoke campaigns targeted state and local government agencies, the current Hades Locker campaign targeted Manufacturing and Business Services verticals."
} ,
{
"category" : "Payload delivery" ,
"comment" : "Update.exe (Hades Locker)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192257" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "582aaec1-a1e8-4dae-963c-4a28950d210f" ,
"value" : "37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809"
} ,
{
"category" : "Network activity" ,
"comment" : "Hades Locker C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192346" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf1a-2ba0-4b6e-9831-44c6950d210f" ,
"value" : "http://pfmydcsjib.ru/config.php"
} ,
{
"category" : "Network activity" ,
"comment" : "Hades Locker C2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192346" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf1a-c674-4a31-8d7e-43b7950d210f" ,
"value" : "http://jdybchotfn.ru/config.php"
} ,
{
"category" : "Network activity" ,
"comment" : "Payload (Hades Locker) downloaded by documents" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192374" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf36-dc28-4aec-99cf-b9bb950d210f" ,
"value" : "http://185.45.193.169/update.exe"
} ,
{
"category" : "Network activity" ,
"comment" : "URL in email" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf56-cc40-4304-bd1d-4a2b950d210f" ,
"value" : "http://transportbedrijfvanetten.nl/downloads/levering-7834535.doc"
} ,
{
"category" : "Network activity" ,
"comment" : "URL in email" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf56-05dc-4c89-98e6-4a2b950d210f" ,
"value" : "http://leursmatransport.nl/downloads/levering-1245789.doc"
} ,
{
"category" : "Network activity" ,
"comment" : "URL in email" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192406" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf56-1ec0-454f-821a-4a2b950d210f" ,
"value" : "http://transportbedrijfbrenninkmeijer.nl/downloads/levering-739176.doc"
} ,
{
"category" : "Network activity" ,
"comment" : "URL in email" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192407" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "582aaf57-819c-4be7-8764-4a2b950d210f" ,
"value" : "http://breesmanstransport.nl/downloads/levering-1478529.doc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192544" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "582aafe0-7574-4768-9c87-4e6b02de0b81" ,
"value" : "68e8e1eaa7439173362ff42fec37e1149f162662"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192544" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "582aafe0-9d54-4194-8340-44f302de0b81" ,
"value" : "8f03cf5d3c951cf2711144e84779b590"
} ,
{
"category" : "External analysis" ,
"comment" : "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1479192545" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "582aafe1-ac98-459f-87f4-4e1902de0b81" ,
"value" : "https://www.virustotal.com/file/37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809/analysis/1478842683/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}