388 lines
12 KiB
JSON
388 lines
12 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2018-01-29",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension",
|
||
|
"publish_timestamp": "1519121276",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1519121264",
|
||
|
"uuid": "5a8aea46-0ad4-4b8a-9cfd-445b950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#2c4f00",
|
||
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#770040",
|
||
|
"name": "workflow:todo=\"create-missing-misp-galaxy-cluster\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121248",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5a8aea94-20d8-420b-a52b-4155950d210f",
|
||
|
"value": "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121249",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aebb2-8d38-4b51-8a0f-49bf950d210f",
|
||
|
"value": "bleepingcomputer.bit"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121249",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aebb3-46cc-4143-bc91-4a17950d210f",
|
||
|
"value": "nomoreransom.bit"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121250",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aebb3-909c-4690-9520-4e50950d210f",
|
||
|
"value": "esetnod32.bit"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121250",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aebb3-6b9c-4da9-b7d7-4c08950d210f",
|
||
|
"value": "emsisoft.bit"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121250",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aebb4-97e8-480d-be52-4cd7950d210f",
|
||
|
"value": "gandcrab.bit"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "ransomnote",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121251",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5a8aec25-f770-4bdf-a543-4f23950d210f",
|
||
|
"value": "GDCB-DECRYPT.txt"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519053876",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a8aec34-8204-4027-9e22-4d3c950d210f",
|
||
|
"value": "aedf80c426fb649bb258e430a3830d85"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519053876",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a8aec34-1638-4675-872a-4e64950d210f",
|
||
|
"value": "6866d8d8bf8565d94e0e1479978cf1e5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519053877",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a8aec35-1e64-4c86-b38d-4890950d210f",
|
||
|
"value": "379e149517f4119f2edb9676ec456ed4"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1519121251",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5a8bd3ad-2570-4490-bfe3-4ec0950d210f",
|
||
|
"value": "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1519121257",
|
||
|
"uuid": "fdc7c223-2171-45ac-b03d-9aaf289e0612",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "fdc7c223-2171-45ac-b03d-9aaf289e0612",
|
||
|
"referenced_uuid": "7c7e6c58-6dbb-4189-982d-3aa8636c352f",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1519121259",
|
||
|
"uuid": "5a8bf36b-84b4-4d90-becf-48e002de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1519121254",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5a8bf366-44d8-41b4-be9d-464902de0b81",
|
||
|
"value": "2245bd90b753b7fd29b7218a0ef50435c64f8767"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1519121255",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5a8bf367-ea98-415f-ac9e-466802de0b81",
|
||
|
"value": "3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1519121255",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a8bf367-cf20-4ee9-bc10-4dfe02de0b81",
|
||
|
"value": "6866d8d8bf8565d94e0e1479978cf1e5"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1519121255",
|
||
|
"uuid": "7c7e6c58-6dbb-4189-982d-3aa8636c352f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1519121255",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5a8bf367-52dc-44ee-9641-4b8a02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615/analysis/1518976209/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1519121256",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a8bf368-5744-4b42-9759-444302de0b81",
|
||
|
"value": "55/67"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1519121256",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5a8bf368-c0ac-437c-b853-431f02de0b81",
|
||
|
"value": "2018-02-18T17:50:09"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1519121260",
|
||
|
"uuid": "cd7071df-c409-4094-968c-c3c144a2a380",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "cd7071df-c409-4094-968c-c3c144a2a380",
|
||
|
"referenced_uuid": "1317f7cd-64b0-471b-be2d-fc2cd3fd851b",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1519121259",
|
||
|
"uuid": "5a8bf36b-bbfc-4294-b2bb-4bed02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1519121257",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5a8bf369-1e34-4201-b10c-421902de0b81",
|
||
|
"value": "0876ad729d79da65ed4e72966d9f9d209394ebfa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1519121257",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5a8bf369-074c-4c57-8e9f-417c02de0b81",
|
||
|
"value": "03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1519121258",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5a8bf36a-1080-41c3-ae9a-41c202de0b81",
|
||
|
"value": "aedf80c426fb649bb258e430a3830d85"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1519121258",
|
||
|
"uuid": "1317f7cd-64b0-471b-be2d-fc2cd3fd851b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1519121258",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5a8bf36a-16d0-4cb0-a81e-4c2f02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28/analysis/1518976703/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1519121259",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5a8bf36b-fd30-42a3-b727-4db202de0b81",
|
||
|
"value": "49/68"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1519121259",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5a8bf36b-b100-45cf-8bdb-40ee02de0b81",
|
||
|
"value": "2018-02-18T17:58:23"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|