misp-circl-feed/feeds/circl/misp/56e12e66-f01c-41be-afea-4d9a950d210f.json

177 lines
169 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2016-03-10",
"extends_uuid": "",
"info": "Cerber Ransomware",
"publish_timestamp": "1457605279",
"published": true,
"threat_level_id": "3",
"timestamp": "1457605235",
"uuid": "56e12e66-f01c-41be-afea-4d9a950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#3b7500",
"name": "circl:incident-classification=\"malware\""
},
{
"colour": "#2c4f00",
"name": "malware_classification:malware-category=\"Ransomware\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Payment site",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598168",
"to_ids": true,
"type": "url",
"uuid": "56e12ed8-18e4-4f3b-8767-49f5950d210f",
"value": "decrypttozxybarc.onion"
},
{
"category": "Network activity",
"comment": "Geo lookup",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598169",
"to_ids": false,
"type": "url",
"uuid": "56e12ed9-2378-4c4d-bc31-435b950d210f",
"value": "http://ipinfo.io/json"
},
{
"category": "Network activity",
"comment": "Geo lookup",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598169",
"to_ids": false,
"type": "url",
"uuid": "56e12ed9-56ec-46fa-829b-42f6950d210f",
"value": "http://freegeoip.net/json/"
},
{
"category": "Network activity",
"comment": "Geo lookup",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598169",
"to_ids": false,
"type": "url",
"uuid": "56e12ed9-eefc-4ed9-9d14-4949950d210f",
"value": "http://ip-api.com/json"
},
{
"category": "Payload delivery",
"comment": "Cerber executable (created: Fri Feb 26 10:28:56 2016)",
"data": "UEsDBBQACQAIADNDakjncNW5B+EBAACwAgAgABwAMmY3MDU5ZDdiMWRkYTMwODBlMzkxZDk5Nzg4ZmZmMThVVAkAA4Iv4VaCL+FWdXgLAAEEIQAAAAQhAAAAgG/zDcjQwOQ/2ysuh1sRSTb8nhbadf1DJXYBOf+4/10QuLg/l4MtEABD+a0bHi8hGw0tnV3aCZm5WF9HXVdNSTLfWGTP1PO1V8EHHQKH3toCT4QCVctd8CqUQcARXX5BJGw63+xvYZzRP0cPE21L6+Dii5MadixuRVjxc9FVi6lc1dnam0ZForxwbFI+PMMakpOoRzwHSH4SY8mmf5xvc0G6gGpxo+04INzNYF4GtWyfB+7dHng8agSlzsSnVC9cHN31VdGxZDhagtHkOtiUoIhOU+0/BQ1+T8sM/Lk2fgiUHWgkC/L274nSP6W6v65ok/TVTQUag/hdN8TwDYLrDP1ASqscNsoAaMO+ShNiQajFmeK7ll/EsoOOTYjqPeWN/Jg/Dw+/mFOKBcIJ1RsqMpBiiYndrmSG9vpJjKH8KSE9VsMQJz9i62FTGFAkaSBbVG2wnGKJ8Ur6xnRGMeuj06Y6PIepNHywmP5p49uTIqZyOgHCALeS7YyjIhjB0htO8TxpjByXNo+Afu3shBEsy9FnlzaIpwn9vIZJDF9lkHRvrqEayHbgY/mcqYsOmY2U6ew/c5UIi3SJsRa74AygUt+RgGARpo75BJJXA2+B64X82pzxKWmmrPYnwIQYGl8pP8JjTL02VJKkP9f0gSbKx7qziTbkQZYPnn/0hLHDpI8XLzMUE344zF4NZC7rfiKUNUJ2vcEB2oprwfiCcLOuAZjBJX3erNvHFSrYagx5g1i8hDgsYBBEybmSSD1LNBrpnp8GevoBNhtt8l4hIRjSAm9yen1+2DeEiiU+AcBzVjgS3ptDnXupuT7kMRwRgm39LdveXhVup9MUgfVvVP/+V8/NKP+v/i7+5yG1+mbgod0Ds2x5NhCbox6Vsg0VQnZ8OvZ9DUeyKbDCxfAPeWVTLwr9PVaWIZfO3fbCwz8bnSX+Px9foQOF8N3ZuXHdMk5myXKl2UmaelkcScSeBj10dStp+jQHFsB8ZapwUYlzSnrXXL1RcCkG53EoWampKh0x9/nV7xxcHYmFNlYl4jNppvx7Wasr5whp3G3tlekevzXNFYyrYWx0W1B4vjRECqoqMk7QdU1Hl8AWxp7i4zWUoJCCGJWhhhCG8UwYvnZwmV5noov+zwHjRj+eQSAIbN0tV4AhtozF4tktisRpSCbiGghKRwLhfmH+CaHYx79l41T5/Vp+ghu/0MWNMvO8BLd4xcDP/rC1nULBeXFwEbQydShpcNrVK8n251LA5TX1CN52jFPbXJh2cdkHRgWSn1fb7Miyu8BNNkLRk7+YyxplGyxW4c+CNPHAYiLirLb3xKwuM16VD+riE9mOMdLe7ohzXuTUGVhM2vAKNTMo7I9irHBKt452JTSIBsMnwiZ+i4FLAPKz64NGu1elO/T9T0sP+cmEt/UU8u4JPr24GPvBt0eH8VQYp+WKoAJQ6CXa5rOLnX8ssonmvqrgKD855Uhi8ad+7rGE0PxbTcpLbVkwLLGMuXd8tmjcZutpFSEGsoPV9GU3z/vUkmFz9wJCxRa6oOg+Q5lDoR+82lgujDBYeETc+yLJXIb6nA5HXkL4y+EMsHqkOZBz10FSEkx5N+oE1tbhxJAcqAMIz8ZO3OQMsdiBcc2sPAMKeACcxTj0N/+4JDHV44XTWrD7h8mSDJEwy/cPpGPb8O7PnYrgSCYW9Y1BW+1HwkElhaAfE/lx/5uFJDb3j3Qgi5wMq1nCTZ3MPU161PtJmk5uRWEdAWO0VePkM1ZztbBm+za1ycsYGLERe+C0FIhsxg22C4P88VGSeOq6IFZTTWfVqLjsCerLwCo0v+hHrK5lfhrNK5CuJr1GwVTgNmOE6/fkWW8SlYFJ01/vTHeIaOT6IRjkkIqzZ8gzD1+jPmd1q43LuY9ek52y4X5zUXtNq/olcyb4tfDAVYxHmXDJVmICQMhrhdZSd1uYolpx5VmJsmmWdYTSSEeRkJzWhF5Ce0asv9DNRV82iOlrJDBNOc0C8mhJchNYYIFiwIWPYDiXY4enI6hxAalW2JpRfw0fZVBGErOWS2mcuDLZVYBi5LR+8/5uIRf5ucn27rs0mue7RIO0tptugV+grccqoB5qSgbMvA4d5Vw7GFgqtMfgF+ISZ5nsUBIFVdi5M/2EwF5dSr0TRjA6RkJq5ANJlAi5Pd3AFwgOAWt03RG/bFxr8PAkN+NpNH5iPhqbv+1Xlj5/m6HoVO4SkzUfO+4FiiJVWcCG0GrqPilLb/PCoJwZnJ1Mr1jiOEz8BjlkRWQWX9mYMh2VjaTs6FfWsXxjF4V7HMBuKetO+0iNJ5oZS29wY+nMpBwp03Dn0TnGSQ13APnAsuZmqVmaT004C6mGTAi8L9wQEbQJyJXCTPwPPeZHcQvOcHMku2ECzgZ2wL+uysSdTKETWxF4MK4TAHlMXsgooti+hbPakZ8M2djvMqL+aXBRy+Scy65294HqAX3Cwmv6Xzcfcyw1i3NH/gx9EY/HalWlc5UFr2F9TCUk1MSs/kjt96SP5CU2d75gYeA2QzGIBUyukSrVRAGajOQ9riyGZ4RFPpWQBP1tGGLv6WVe5iiUsJixPvjM2eTCUrd3H3x/6iu6a5FQnPTBEhWW/Kf3pb8NrhJ0nlUR6wisCQZQKCLKg3zDK/b5sSTlb2DbXCpoTjtymA2uug5AJ87QVZhkYY87bQEoi0kxhs7sQ53SVIsIDbeYpKY19HZacB/UYSsw99NwkjrzbHqQR9VJQEtZcxmxMxwyPsgva0FxnVHUuVO98s0dxGZUjj6yYQbvOfkHeLxwNPFCSVTkVxpJ9tDnmp+uwhg/oZuSDUx705Ozu1aof5eojNgQQvTl8Uf91PtxWo2GvqMuc8MUMWGIsPC9ZryAjSRLrtYl0C6AU2RfSmrEGm607s1fdi7kJrDP7+P5frKG46P4d/c+Nqv4hsN6+6Uo5Dw2DygZcFxYPXiTfEP4OqnfmVEkCQQsxH0bzaqRnnqUd+/z77yqmv1G+D58XazpzKUCkS2FUZHlTnN48j79+J213Jc2o7aHaR0B1gvOTQA3YKQXZZ/VurpMxFosHUAsoVYUEB73U/ALfrszqefRVdsoTnPWnWoGwHSK08urDnIYNxi3dAT1z4RQyiUdY9gapF/6mHT8Z8QO+RQHVO4EUUIHisNPhllPVtdW1WDRM4UFTl5It5kFFw0KQSFeAUR2gOYOnR7z46ji7aioR6CGcFT+wXCL7v1mATFBUWaaXck/uikfhJ0gkSn5hWjOGwFAK3i5qne9choEVZbp1/C7E2Tiv1sGmPJjFA4ox933LvW0p6Cg+DSt4b3r0PZnZ7/IiodPitTA5iKzC6+pwKWl3KdmQZeWBoJAcMo/5Hfmu2RwiIVXhPPJPxMYnqC7RqvSsfhRX0ApkwUXHLvbnB9zbQa9/KEfk2JUyTgrdlCGxR0XQmHu/pmV6s0dogihOAlOxJ5n07Za1bY6QUEehNg+OpxLH6dnxSe6YLE0yAagZ87uyyxESe9Ad9tnUkle2TrFp/6tvdWoanF02oC8ZKNTF5HbamjnHDB1XKfJoupESpQiutKDYrkqK8b9UvVQezcx+MpfjAjLv3Y6JbafIrK84Nd0LFVZ8D1SajIRC1Cdi398r/fK0iX9sePNTGUPZLZl+ruoymwRAvP99F9VAQd67r+xamZOgSH87Q7Zqt5LH8i5XExwlPSF0qqI4hZ9DrCM0pQnx6/cjMKvRpFN6S4fjGKxOZxVQYKNk/FQ64vR2aqdqRtAcnGxuef02puAFd0sd9k5DR6dulRMgFnfc9rOcu3mQ9XrPZXCwXtMJQurFkJplC0b9wajRpZeDhiYZ2OnF+jzGYAgdtQCt9lr7C/8Qk2Z3gXtk5OQd18krYobrxhrS2XZC2TAj7cgKTdb9pNbtIQHp6DKHF9gMMj5tePivhb/m8o9kbp4x3Scr//S0XjFNimlcPflAm5Pq3Ur6q
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598338",
"to_ids": true,
"type": "malware-sample",
"uuid": "56e12f82-0c54-4c98-a49d-4de7950d210f",
"value": "a5ff5f.exe|2f7059d7b1dda3080e391d99788fff18"
},
{
"category": "Payload delivery",
"comment": "Cerber executable (created: Fri Feb 26 10:28:56 2016)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598339",
"to_ids": true,
"type": "filename|sha1",
"uuid": "56e12f83-98e0-490c-9820-4807950d210f",
"value": "a5ff5f.exe|0af6bde11eaa699604aa92cce9a6210dfce70f42"
},
{
"category": "Payload delivery",
"comment": "Cerber executable (created: Fri Feb 26 10:28:56 2016)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457598340",
"to_ids": true,
"type": "filename|sha256",
"uuid": "56e12f84-d92c-455f-9ecf-4e30950d210f",
"value": "a5ff5f.exe|a5ff5f861bbb1ac7c6fd44f303f735fac01273ce2ae43a8acb683076192fcfcc"
},
{
"category": "Payload installation",
"comment": "# DECRYPT MY FILES #.vbs",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457604851",
"to_ids": false,
"type": "text",
"uuid": "56e148f3-461c-4d44-ace6-493f950d210f",
"value": "Set SAPI = CreateObject(\"SAPI.SpVoice\")\r\nSAPI.Speak \"Attention! Attention! Attention!\"\r\nFor i = 1 to 5\r\nSAPI.Speak \"Your documents, photos, databases and other important files have been encrypted!\"\r\nNext"
},
{
"category": "Payload installation",
"comment": "# DECRYPT MY FILES #.txt",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457604925",
"to_ids": false,
"type": "text",
"uuid": "56e1493d-c33c-4e3e-bcdd-4ae7950d210f",
"value": "C E R B E R\r\n -----------\r\n\r\n\r\n Your documents, photos, databases and other important files have been encrypted!\r\n\r\n\r\n To decrypt your files follow the instructions:\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n 1. Download and install the \"Tor Browser\" from https://www.torproject.org/\r\n\r\n\r\n 2. Run it\r\n\r\n\r\n 3. In the \"Tor Browser\" open website:\r\n\r\n http://decrypttozxybarc.onion/F97F-EFC0-B07D-003F-3EA6\r\n\r\n\r\n 4. Follow the instructions at this website\r\n\r\n\r\n ---------------------------------------------------------------------------------------\r\n\r\n\r\n \u00c2\u00ab...Quod me non necat me fortiorem facit.\u00c2\u00bb"
},
{
"category": "Payload installation",
"comment": "# DECRYPT MY FILES #.html",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457605002",
"to_ids": false,
"type": "text",
"uuid": "56e1498a-da10-48f7-995e-4fda950d210f",
"value": "<!DOCTYPE html>\r\n<html lang=\"en\">\r\n <head>\r\n <link href=\"http://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css\" rel=\"stylesheet\">\r\n <meta charset=\"utf-8\">\r\n <meta content=\"IE=edge\" http-equiv=\"X-UA-Compatible\">\r\n <meta content=\"width=device-width, initial-scale=1\" name=\"viewport\">\r\n <title>C E R B E R</title>\r\n </head>\r\n <body>\r\n <div class=\"container\">\r\n <h3 align=\"center\">C E R B E R</h3>\r\n <br />\r\n <h4>Your documents, photos, databases and other important files have been encrypted!<br /><br />To decrypt your files follow the instructions:</h4>\r\n <br />\r\n <div class=\"well\">\r\n <h4>1.&nbsp;&nbsp;&nbsp;Download and install the &laquo;Tor Browser&raquo; from <a href=\"https://www.torproject.org/download/download-easy.html.en\" target=\"_blank\">https://www.torproject.org/</a></h4>\r\n <br />\r\n <h4>2.&nbsp;&nbsp;&nbsp;Run it</h4>\r\n <br />\r\n <h4>3.&nbsp;&nbsp;&nbsp;In the &laquo;Tor Browser&raquo; open website:<br /><br /><div class=\"form-group\" style=\"margin: 0 32px 36px 32px;\"><input class=\"form-control\" style=\"color: #c24; font-size: 22px; height: 50px; text-align: center;\" type=\"text\" value=\"http://decrypttozxybarc.onion/F97F-EFC0-B07D-003F-3EA6\" readonly></div></h4>\r\n <h4>4.&nbsp;&nbsp;&nbsp;Follow the instructions at this website</h4>\r\n </div>\r\n <br />\r\n <p style=\"color: #ccc;\">&laquo;...Quod me non necat me fortiorem facit.&raquo;</p>\r\n <br />\r\n </div>\r\n </body>\r\n</html>"
},
{
"category": "Network activity",
"comment": "stylesheet loaded from here",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457605064",
"to_ids": false,
"type": "url",
"uuid": "56e149c8-4648-4514-ba41-4f92950d210f",
"value": "http://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css"
},
{
"category": "Network activity",
"comment": "Onion server for payment",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457605143",
"to_ids": true,
"type": "hostname",
"uuid": "56e14a17-4f34-4ffd-8ef8-4990950d210f",
"value": "decrypttozxybarc.onion"
},
{
"category": "Financial fraud",
"comment": "Bitcoin address",
"deleted": false,
"disable_correlation": false,
"timestamp": "1457605235",
"to_ids": false,
"type": "btc",
"uuid": "56e14a73-f9ac-4fea-98f4-46e0950d210f",
"value": "1GCaWA685Nj2PqqG7P2ZBACYZB8ZtpQuQ9"
}
]
}
}