2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2018-01-29" ,
"extends_uuid" : "" ,
"info" : "OSINT - GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension" ,
"publish_timestamp" : "1519121276" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1519121264" ,
"uuid" : "5a8aea46-0ad4-4b8a-9cfd-445b950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#2c4f00" ,
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#75003f" ,
"local" : "0" ,
"name" : "workflow:todo=\"create-missing-misp-galaxy-cluster\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121248" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a8aea94-20d8-420b-a52b-4155950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/" ,
"Tag" : [
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121249" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aebb2-8d38-4b51-8a0f-49bf950d210f" ,
"value" : "bleepingcomputer.bit"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121249" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aebb3-46cc-4143-bc91-4a17950d210f" ,
"value" : "nomoreransom.bit"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121250" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aebb3-909c-4690-9520-4e50950d210f" ,
"value" : "esetnod32.bit"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121250" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aebb3-6b9c-4da9-b7d7-4c08950d210f" ,
"value" : "emsisoft.bit"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121250" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aebb4-97e8-480d-be52-4cd7950d210f" ,
"value" : "gandcrab.bit"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ransomnote" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121251" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5a8aec25-f770-4bdf-a543-4f23950d210f" ,
"value" : "GDCB-DECRYPT.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519053876" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a8aec34-8204-4027-9e22-4d3c950d210f" ,
"value" : "aedf80c426fb649bb258e430a3830d85"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519053876" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a8aec34-1638-4675-872a-4e64950d210f" ,
"value" : "6866d8d8bf8565d94e0e1479978cf1e5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519053877" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a8aec35-1e64-4c86-b38d-4890950d210f" ,
"value" : "379e149517f4119f2edb9676ec456ed4"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1519121251" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5a8bd3ad-2570-4490-bfe3-4ec0950d210f" ,
"value" : "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld." ,
"Tag" : [
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
}
]
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1519121257" ,
"uuid" : "fdc7c223-2171-45ac-b03d-9aaf289e0612" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "fdc7c223-2171-45ac-b03d-9aaf289e0612" ,
"referenced_uuid" : "7c7e6c58-6dbb-4189-982d-3aa8636c352f" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1519121259" ,
"uuid" : "5a8bf36b-84b4-4d90-becf-48e002de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1519121254" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a8bf366-44d8-41b4-be9d-464902de0b81" ,
"value" : "2245bd90b753b7fd29b7218a0ef50435c64f8767"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1519121255" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a8bf367-ea98-415f-ac9e-466802de0b81" ,
"value" : "3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1519121255" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a8bf367-cf20-4ee9-bc10-4dfe02de0b81" ,
"value" : "6866d8d8bf8565d94e0e1479978cf1e5"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "1" ,
"timestamp" : "1519121255" ,
"uuid" : "7c7e6c58-6dbb-4189-982d-3aa8636c352f" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1519121255" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a8bf367-52dc-44ee-9641-4b8a02de0b81" ,
"value" : "https://www.virustotal.com/file/3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615/analysis/1518976209/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1519121256" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a8bf368-5744-4b42-9759-444302de0b81" ,
"value" : "55/67"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1519121256" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5a8bf368-c0ac-437c-b853-431f02de0b81" ,
"value" : "2018-02-18T17:50:09"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1519121260" ,
"uuid" : "cd7071df-c409-4094-968c-c3c144a2a380" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "cd7071df-c409-4094-968c-c3c144a2a380" ,
"referenced_uuid" : "1317f7cd-64b0-471b-be2d-fc2cd3fd851b" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1519121259" ,
"uuid" : "5a8bf36b-bbfc-4294-b2bb-4bed02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1519121257" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5a8bf369-1e34-4201-b10c-421902de0b81" ,
"value" : "0876ad729d79da65ed4e72966d9f9d209394ebfa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1519121257" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5a8bf369-074c-4c57-8e9f-417c02de0b81" ,
"value" : "03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1519121258" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5a8bf36a-1080-41c3-ae9a-41c202de0b81" ,
"value" : "aedf80c426fb649bb258e430a3830d85"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "1" ,
"timestamp" : "1519121258" ,
"uuid" : "1317f7cd-64b0-471b-be2d-fc2cd3fd851b" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1519121258" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5a8bf36a-16d0-4cb0-a81e-4c2f02de0b81" ,
"value" : "https://www.virustotal.com/file/03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28/analysis/1518976703/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1519121259" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5a8bf36b-fd30-42a3-b727-4db202de0b81" ,
"value" : "49/68"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1519121259" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5a8bf36b-b100-45cf-8bdb-40ee02de0b81" ,
"value" : "2018-02-18T17:58:23"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}