adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/59f04ba5-e890-4534-8fa9-47dd950d210f.json

1001 lines
1.1 MiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2017-10-25",
"extends_uuid": "",
"info": "OSINT - BadRabbit Ransomware Compiled by ThaiCERT, a member of the Electronic Transactions Development Agency",
"publish_timestamp": "1508930601",
"published": true,
"threat_level_id": "3",
"timestamp": "1508929710",
"uuid": "59f04ba5-e890-4534-8fa9-47dd950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:ransomware=\"Bad Rabbit\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:preventive-measure=\"Restrict Workstation Communication\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:preventive-measure=\"Backup and Restore Process\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "Report 0.2 from ThaiCert",
"data": "JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDE0OCAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+Pj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCA5L0tpZHNbIDMgMCBSIDI4IDAgUiAzMyAwIFIgMzYgMCBSIDQwIDAgUiA0NyAwIFIgNDkgMCBSIDUzIDAgUiA1OCAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFIvRjUgMTUgMCBSL0Y2IDE3IDAgUi9GNyAxOSAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vWE9iamVjdDw8L0ltYWdlMjIgMjIgMCBSL0ltYWdlMjUgMjUgMCBSL0ltYWdlMjcgMjcgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L0Fubm90c1sgMjEgMCBSIDI0IDAgUl0gL01lZGlhQm94WyAwIDAgNjEyIDc5Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCA5MzQ+Pg0Kc3RyZWFtDQp4nJ1W224TMRB9j5R/mEcvIq7vF1RVatMUikCUNoKHloe0LKGIbCApIP6esbNN15t4tSJRHGcynjNz5rKGgws4PDx4Oz4/BXZ0BCenYziZDgcHZxy4gOmX4YADwzcHKygTCox1lMN0gTovryzM18MBg3n85epfL4eDawLFSMj2ynckOfl/ST7B9PVwMEH/QwyPjksmqJQNx7ucS00cnIk2DYoxKmzL2tMpmLwdAzRY5Q1W21RqS7XrY0R0GJGS2j42ZIcN5qlXfYyopEZkpka0M1TW5k6QWEtmkeTPuHfksiG5jZLNeo8STh4yWeRSUe4S07mEc2mpTVWbmFVEW8f9Mu4XxUgy8gdXXuusUM5ImQEQXFPms77ssKbz1Gv81n1smIR5BZgxs5d7w6gRtcXxcvGjGFmkVpPvxciQ8nOhYq0zcvsX4yUw/TpD4jUZTwpJLqf4lybPYbZVW5QoR4I8uS1RuIqHll+2/z98Lbf7ScD6jljlXVB7QGVBltWjB3cBB6ar4MiswlPrIJhtdO8LE7LhSbWOEKfl7/BdotuKLGMU0ZXqoRg5AsfByDxAV/H830yqlEaieMpKJ8824VnneVa+3wBwHcmXjQHwASn0WHKhCQJxNpaoD22BxbmM8iquSLZUhMU9jXuR6wShsUITmGzTCNdWvSHRDRGBdO6cklSrnhjK7Oi+Q+sulAaGiqkVog4VZ4KUWzoy9pykzvTExmZt64qIsSGSx9XG9abINj4OW5sH3Em+b1VTZl4KRUWvScJZRzUxTuVjSU4jrW/iMLuItL4oHPmIDafJq9BM51huvFabZAcp1oRLDXe7x3vdIVR4ePaaelwkBg0iUKYSmxoLEIGs7zeLuUwsWvD7POSGU7WZF/i4NxYYlcLjqriB1Xyf9DJee85wjN3jmJqH0fYrLHFilrmy9IZ6l+BdYylm0oF50IkujBhlgeO7a/IiW/lMI0ZyjMUTx+jrb/zMgpvr9oN3z92HC4Nhp852k6161UN4YBuzYTvcJbdXyFwXGsp089ReN65+zKonTx6fwT+Hg0BaeCGfeC00jjoHBj3TnOK6KoeDj8+gQjy7QcRYueQhcrz1wV24+p4vZvNSCDhdwvsMoNkBlEJJ3wWI44xjRBGThxAlt5TZNqxOYRt0290ghUQIbllom4ApvKbGNUCVsdTrCCrQAQUWBzqOS0adbKLaGpXDnzpDmIpvMLAyKuMNW2FkaEk4hVYCwFXt4z/CcHM1DQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9BQkNERUUrQ2FsaWJyaS1Cb2xkSXRhbGljL0VuY29kaW5nL1dpbkFuc2lFbmNvZGluZy9Gb250RGVzY3JpcHRvciA2IDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMzIvV2lkdGhzIDk5MiAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0FCQ0RFRStDYWxpYnJpLUJvbGRJdGFsaWMvRmxhZ3MgMzIvSXRhbGljQW5nbGUgLTExL0FzY2VudCA3NTAvRGVzY2VudCAtMjUwL0NhcEhlaWdodCA3NTAvQXZnV2lkdGggNTM3L01heFdpZHRoIDE5NTYvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTMvRm9udEJCb3hbIC02OTEgLTI1MCAxMjY1IDc1MF0gL0ZvbnRGaWxlMiA5OTMgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQUJDREVFK0NhbGlicmktQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMTUvV2lkdGhzIDk5NCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9BQkNERUUrQ2FsaWJyaS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDc1MC9EZXNjZW50IC0yNTAvQ2FwSGVpZ2h0IDc1MC9BdmdXaWR0aCA1MzYvTWF4V2lkdGggMTc1OS9Gb250V2VpZ2h0IDcwMC9YSGVpZ2h0IDI1MC9TdGVtViA1My9Gb250QkJveFsgLTUxOSAtMjUwIDEyNDAgNzUwXSAvRm9udEZpbGUyIDk5NSAwIFI+Pg0KZW5kb2JqDQoxMSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMy9CYXNlRm9udC9BcmlhbC1Cb2xkTVQvRW5jb2RpbmcvV2luQW5zaUVuY29kaW5nL0ZvbnREZXNjcmlwdG9yIDEyIDAgUi9GaXJzdENoYXIgMzIvTGFzdENoYXIgMTIwL1dpZHRocyA5OTYgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQXJpYWwtQm9sZE1UL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkwNS9EZXNjZW50IC0yMTAvQ2FwSGVpZ2h0IDcyOC9BdmdXaWR0aCA0NzkvTWF4V2lkdGggMjYyOC9Gb250V2VpZ2h0IDcwMC9YSGVpZ2h0IDI1MC9MZWFkaW5nIDMzL1N0ZW1WIDQ3L0ZvbnRCQm94WyAtNjI4IC0yMTAgMjAwMCA3MjhdID4+DQplbmRvYmoNCjEzIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0Y0L0
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "attachment",
"uuid": "59f04c02-c344-41df-834f-4b4c950d210f",
"value": "BadRabbit Ransomware v0.2.pdf",
"Tag": [
{
"colour": "#002b4a",
"name": "osint:source-type=\"technical-report\""
}
]
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "text",
"uuid": "59f04c43-0da0-47ac-9dd8-47aa950d210f",
"value": "Win32/Diskcoder.D"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "text",
"uuid": "59f04c43-98a4-4ed8-b4ff-48c2950d210f",
"value": "Trojan-Ransom.Win32.Gen.ftl"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "text",
"uuid": "59f04c43-d550-4bd6-912a-457c950d210f",
"value": "Win32/Tibbar.A"
},
{
"category": "Antivirus detection",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "text",
"uuid": "59f04c43-23a4-4f3d-aea4-4a8e950d210f",
"value": "Troj/Ransom-ERK"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921209",
"to_ids": false,
"type": "text",
"uuid": "59f04c56-7f1c-4ee7-b43c-4bc8950d210f",
"value": "new ransomware strain named BadRabbit is wreaking havoc in many Eastern European countries,\r\naffecting both government agencies and private businesses alike.\r\nAt the time of writing, the ransomware has hit countries such as Russia, Ukraine, Bulgaria, and Turkey.\r\nConfirmed victims include the Odessa airport in Ukraine, the Kiev subway system in Ukraine, the\r\nUkrainian Ministry of Infrastructure, and three Russian news agencies, including Interfax and Fontanka.\r\nUkraine's CERT team has posted an alert and is warning Ukrainian businesses about this new outbreak.\r\nThe speed with which BadRabbit spread is similar to the WannaCry and NotPetya outbreaks that have hit\r\nin May and June this year, respectively.\r\nThe domain where the malware is downloaded from has been taken down already.\r\nAt the time of writing, no recovery tools for the encryption have been found."
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926756",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-d584-4493-b8e1-4367950d210f",
"value": "https://securingtomorrow.mcafee.com/mcafee-labs/badrabbit-ransomware-burrows-russia-ukraine/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926607",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-b790-48b4-9492-4d4b950d210f",
"value": "https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926553",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-9658-4755-ab9c-4860950d210f",
"value": "https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926544",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-2188-4046-b429-4a25950d210f",
"value": "https://securelist.com/bad-rabbit-ransomware/82851/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926563",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-2c10-43f3-9b66-4f48950d210f",
"value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926574",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-6efc-4c7d-aa76-40de950d210f",
"value": "https://www.group-ib.com/blog/badrabbit"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926617",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-2bcc-4171-887e-4084950d210f",
"value": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Tibbar.A"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926478",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-6c44-437d-9ac0-4ebb950d210f",
"value": "http://blog.talosintelligence.com/2017/10/bad-rabbit.html"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926534",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-971c-4c87-bec5-4110950d210f",
"value": "https://otx.alienvault.com/pulse/59ef5e053db003162704fcb2/"
},
{
"category": "External analysis",
"comment": "Malware analysis sources",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926585",
"to_ids": false,
"type": "link",
"uuid": "59f04c7b-ea28-4569-b8b3-4e2b950d210f",
"value": "https://labs.bitdefender.com/2017/10/bad-rabbit-ransomware-strikes-ukraine-likely-related-to-goldeneye/"
},
{
"category": "External analysis",
"comment": "International advisories",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926644",
"to_ids": false,
"type": "link",
"uuid": "59f04c8a-edfc-4f0f-97a2-4d37950d210f",
"value": "https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926793",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-d00c-4043-897c-44db950d210f",
"value": "https://www.csoonline.com/article/3234691/security/badrabbit-ransomware-attacks-multiple-media-outlets.html"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926764",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-ad18-4172-92c5-43b2950d210f",
"value": "https://www.cyberscoop.com/badrabbit-ransomware-spreading-across-ukraine-russia/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926803",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-53a4-4546-a05f-4a38950d210f",
"value": "https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine---and-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926786",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-8a84-4e67-b96a-4bcc950d210f",
"value": "https://www.infosecurity-magazine.com/news/new-waves-of-ransomware-spread/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926779",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-00f0-4d6c-861f-4f0a950d210f",
"value": "https://www.itnews.com.au/news/is-bad-rabbit-the-new-notpetya-476121"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925851",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-9080-49be-96b2-4b33950d210f",
"value": "https://blog.malwarebytes.com/cybercrime/2017/10/badrabbit-ransomware-strikes-eastern-europe/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-76d0-4712-b9bf-41fa950d210f",
"value": "https://motherboard.vice.com/en_us/article/59yb4q/bad-rabbit-petya-ransomware-russia-ukraine"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926772",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-18fc-4672-8078-41e5950d210f",
"value": "https://nakedsecurity.sophos.com/2017/10/24/bad-rabbit-ransomware-outbreak/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926705",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-0d54-42c2-bfea-4017950d210f",
"value": "https://researchcenter.paloaltonetworks.com/2017/10/threat-brief-information-bad-rabbit-ransomware-attacks/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926689",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-f1a8-4ee7-9195-4a3c950d210f",
"value": "http://www.reuters.com/article/us-ukraine-cyber/new-wave-of-cyber-attacks-hits-ukraine-and-russia-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926697",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-16cc-4f80-8ba4-406e950d210f",
"value": "http://www.reuters.com/article/us-ukraine-cyber/new-cyber-attacks-hit-airport-metro-in-ukraine-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926635",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-7f20-4363-8096-4a8c950d210f",
"value": "http://securityaffairs.co/wordpress/64713/malware/bad-rabbit-ransomware.html"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926670",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-14f0-4ad8-bbb4-4c6b950d210f",
"value": "https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926598",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-4624-4a61-bb1d-4a80950d210f",
"value": "https://www.theregister.co.uk/2017/10/24/badrabbit_ransomware/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-b7c4-4496-94b5-4bd4950d210f",
"value": "https://threatpost.com/badrabbit-ransomware-attacks-hitting-russia-ukraine/128593/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926679",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-1c5c-48a5-940e-4846950d210f",
"value": "https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926661",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-2cd4-407f-93cc-47e3950d210f",
"value": "https://www.kaspersky.com/blog/bad-rabbit-ransomware/19887/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926653",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-2384-4933-a65f-44a4950d210f",
"value": "https://www.pcmag.com/news/356977/badrabbit-ransomware-targets-systems-in-russia-ukraine"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926626",
"to_ids": false,
"type": "link",
"uuid": "59f04ca9-20b4-41b5-9814-45da950d210f",
"value": "https://www.technologyreview.com/the-download/609206/a-new-strain-of-ransomware-is-hitting-eastern-europe/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-13e0-43c0-b1ab-4f6a950d210f",
"value": "https://www.bloomberg.com/news/articles/2017-10-24/russian-news-agency-interfax-faces-unprecedented-hacker-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-a06c-4fa8-9068-4cdf950d210f",
"value": "https://www.washingtontimes.com/news/2017/oct/24/badrabbit-ransomware-strain-infects-russian-media-/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-f4dc-454f-8eee-416d950d210f",
"value": "https://techcrunch.com/2017/10/24/badrabbit-notpetya-russia-ukraine-ransomware-malware/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-2cc8-483e-a992-4be4950d210f",
"value": "http://www.bbc.co.uk/news/technology-41740768"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-c97c-4ed4-a364-410d950d210f",
"value": "http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04caa-0a40-4ec0-aadc-498e950d210f",
"value": "https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-55c4-43b3-9b81-4a39950d210f",
"value": "https://arstechnica.com/information-technology/2017/10/new-wave-of-data-encrypting-malware-crashes-through-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-eed8-40ca-aad0-464f950d210f",
"value": "https://www.scmagazine.com/badrabbit-ransomware-spreading-in-russia-and-the-ukraine-vaccine-"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-a1a4-416b-9f68-4764950d210f",
"value": "https://www.bangkokpost.com/news/world/1348551/new-badrabbit-ransomware-attacks-hit-europe"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508925901",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-e4e4-4d6d-8eab-4e42950d210f",
"value": "https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-c9dc-4e7f-98ee-43e3950d210f",
"value": "https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-09b0-4172-9c38-4ece950d210f",
"value": "http://money.cnn.com/2017/10/24/technology/bad-rabbit-ransomware-attack/index.html"
},
{
"category": "External analysis",
"comment": "English news references",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04cbe-1888-4a4e-8e13-4f6e950d210f",
"value": "https://www.windowscentral.com/new-bad-rabbit-ransomware-attack-spreading-across-europe"
},
{
"category": "External analysis",
"comment": "\"Vaccine found\" Mitigation",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508929710",
"to_ids": false,
"type": "link",
"uuid": "59f04ce0-ace4-4fd9-a5e1-4384950d210f",
"value": "https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware"
},
{
"category": "Financial fraud",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926904",
"to_ids": true,
"type": "btc",
"uuid": "59f04ddb-4394-4395-a6dc-4cad950d210f",
"value": "1GxXGMoz7HAVwRDZd7ezkKipY4DHLUqzmM"
},
{
"category": "Financial fraud",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508926899",
"to_ids": true,
"type": "btc",
"uuid": "59f04ddb-8c10-49a8-8478-4af9950d210f",
"value": "17GhezAiRhgB8DGArZXBkrZBFTGCC9SQ2Z"
},
{
"category": "Network activity",
"comment": "Distribution URL 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "url",
"uuid": "59f04e08-25d8-45ee-8504-4e93950d210f",
"value": "http://1dnscontrol.com/flash_install.php"
},
{
"category": "Network activity",
"comment": "Distribution URL 2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "url",
"uuid": "59f04e08-95a8-4618-9479-44db950d210f",
"value": "http://1dnscontrol.com/index.php"
},
{
"category": "Network activity",
"comment": "Inject URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "url",
"uuid": "59f04e08-ccc4-488b-b969-4333950d210f",
"value": "http://185.149.120.3/scholargoogle/"
},
{
"category": "Network activity",
"comment": "Payment site",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "url",
"uuid": "59f04e08-6ae4-489b-be10-4669950d210f",
"value": "http://caforssztxqzf2nm.onion"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "windows-scheduled-task",
"uuid": "59f04e1b-213c-4331-928a-4c81950d210f",
"value": "viserion_"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "windows-scheduled-task",
"uuid": "59f04e1b-a3f8-4600-8f29-40ea950d210f",
"value": "rhaegal"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "windows-scheduled-task",
"uuid": "59f04e1b-c00c-4b3e-ac65-4124950d210f",
"value": "drogon"
},
{
"category": "Payload delivery",
"comment": "diskcryptor client",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e62-cb50-4df9-abff-4be0950d210f",
"value": "8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x86",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e62-b7e4-48b7-8223-485f950d210f",
"value": "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x64",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e62-6178-4db1-8e6b-41d0950d210f",
"value": "301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c"
},
{
"category": "Payload delivery",
"comment": "infpub.dat diskcoder",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e9c-1a6c-4b65-ace5-4043950d210f",
"value": "579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x32 diskcryptor drv",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e9c-94e4-4a5c-91e5-481a950d210f",
"value": "682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x64 diskcryptor drv",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04e9c-0ad8-41a7-9039-45a2950d210f",
"value": "0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6"
},
{
"category": "Payload delivery",
"comment": "install_flash_player.exe dropper",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha256",
"uuid": "59f04eb4-d490-4167-a395-4b88950d210f",
"value": "630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da"
},
{
"category": "Payload delivery",
"comment": "install_flash_player.exe dropper - Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7a-dd8c-4fb0-a584-4d3202de0b81",
"value": "de5c8d858e6e41da715dca1c019df0bfb92d32c0"
},
{
"category": "Payload delivery",
"comment": "install_flash_player.exe dropper - Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7a-9058-4c94-b7d7-44eb02de0b81",
"value": "fbbdc39af1139aebba4da004475e8839"
},
{
"category": "External analysis",
"comment": "install_flash_player.exe dropper - Xchecked via VT: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": false,
"type": "link",
"uuid": "59f04f7a-ede0-414e-89d5-49a902de0b81",
"value": "https://www.virustotal.com/file/630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da/analysis/1508920901/"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x64 diskcryptor drv - Xchecked via VT: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7a-a1bc-4d00-ab1f-408a02de0b81",
"value": "08f94684e83a27f2414f439975b7f8a6d61fc056"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x64 diskcryptor drv - Xchecked via VT: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7a-f30c-4b40-8e0b-41eb02de0b81",
"value": "edb72f4a46c39452d1a5414f7d26454a"
},
{
"category": "External analysis",
"comment": "cscc.dat x64 diskcryptor drv - Xchecked via VT: 0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": false,
"type": "link",
"uuid": "59f04f7a-ffb8-4ccf-a9e4-4a8c02de0b81",
"value": "https://www.virustotal.com/file/0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6/analysis/1508918584/"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x32 diskcryptor drv - Xchecked via VT: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7a-52b0-4877-b62a-45f802de0b81",
"value": "59cd4907a438b8300a467cee1c6fc31135757039"
},
{
"category": "Payload delivery",
"comment": "cscc.dat x32 diskcryptor drv - Xchecked via VT: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7a-6898-4e2e-84f0-4d5c02de0b81",
"value": "b4e6d97dafd9224ed9a547d52c26ce02"
},
{
"category": "External analysis",
"comment": "cscc.dat x32 diskcryptor drv - Xchecked via VT: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": false,
"type": "link",
"uuid": "59f04f7a-0b4c-4347-ba7a-4bde02de0b81",
"value": "https://www.virustotal.com/file/682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806/analysis/1508920930/"
},
{
"category": "Payload delivery",
"comment": "infpub.dat diskcoder - Xchecked via VT: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7a-80dc-41da-97fd-476202de0b81",
"value": "79116fe99f2b421c52ef64097f0f39b815b20907"
},
{
"category": "Payload delivery",
"comment": "infpub.dat diskcoder - Xchecked via VT: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7a-eca0-453f-88f3-425902de0b81",
"value": "1d724f95c61f1055f0d02c2154bbccd3"
},
{
"category": "External analysis",
"comment": "infpub.dat diskcoder - Xchecked via VT: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": false,
"type": "link",
"uuid": "59f04f7a-0e90-4e91-85c6-433702de0b81",
"value": "https://www.virustotal.com/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/1508917915/"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x64 - Xchecked via VT: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7a-de34-4cca-ad90-4b9302de0b81",
"value": "413eba3973a15c1a6429d9f170f3e8287f98c21c"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x64 - Xchecked via VT: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921210",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7a-26ac-4faf-a5c9-412402de0b81",
"value": "347ac3b6b791054de3e5720a7144a977"
},
{
"category": "External analysis",
"comment": "mimikatz-like x64 - Xchecked via VT: 301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": false,
"type": "link",
"uuid": "59f04f7b-9318-4819-94bb-419e02de0b81",
"value": "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x86 - Xchecked via VT: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7b-9110-465c-98b1-4ebf02de0b81",
"value": "16605a4a29a101208457c47ebfde788487be788d"
},
{
"category": "Payload delivery",
"comment": "mimikatz-like x86 - Xchecked via VT: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7b-7134-494e-9467-411b02de0b81",
"value": "37945c44a897aa42a66adcab68f560e0"
},
{
"category": "External analysis",
"comment": "mimikatz-like x86 - Xchecked via VT: 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": false,
"type": "link",
"uuid": "59f04f7b-667c-4ad9-ad32-42b102de0b81",
"value": "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/"
},
{
"category": "Payload delivery",
"comment": "diskcryptor client - Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": true,
"type": "sha1",
"uuid": "59f04f7b-d238-4e6b-8d21-445502de0b81",
"value": "afeee8b4acff87bc469a6f0364a81ae5d60a2add"
},
{
"category": "Payload delivery",
"comment": "diskcryptor client - Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": true,
"type": "md5",
"uuid": "59f04f7b-c8e0-4bdf-a5c9-46ed02de0b81",
"value": "b14d8faf7f0cbcfad051cefe5f39645f"
},
{
"category": "External analysis",
"comment": "diskcryptor client - Xchecked via VT: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93",
"deleted": false,
"disable_correlation": false,
"timestamp": "1508921211",
"to_ids": false,
"type": "link",
"uuid": "59f04f7b-099c-46e6-a0b0-4a4f02de0b81",
"value": "https://www.virustotal.com/file/8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93/analysis/1508918221/"
}
]
}
}
Reference in a new issue Copy permalink