2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2016-03-11" ,
"extends_uuid" : "" ,
"info" : "'Surprise' Ransomware (2016-03-11)" ,
"publish_timestamp" : "1457709051" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1457708105" ,
"uuid" : "56e2d5fc-4238-4b3a-9d7b-4539950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#3b7500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"malware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#2c4f00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "C&C (down)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706780" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "56e2d71c-af30-4ac8-9fbc-4e49950d210f" ,
"value" : "http://pulseaudio.duckdns.org/pull.php"
} ,
{
"category" : "Network activity" ,
"comment" : "Email to request payment info" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457708098" ,
"to_ids" : true ,
"type" : "email-dst" ,
"uuid" : "56e2d71d-89cc-4680-ae77-4a86950d210f" ,
"value" : "nowayout@protonmail.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Email to request payment info" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457708105" ,
"to_ids" : true ,
"type" : "email-dst" ,
"uuid" : "56e2d71d-4fb4-4b25-997e-49e6950d210f" ,
"value" : "nowayout@sigaint.org"
} ,
{
"category" : "Payload delivery" ,
"comment" : "File displaying information" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706781" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "56e2d71d-79dc-4caa-8432-453a950d210f" ,
"value" : "DECRYPTION_HOWTO.Notepad"
} ,
{
"category" : "Network activity" ,
"comment" : "Imported via the freetext import." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706793" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "56e2d729-5444-4dc8-a042-48f4950d210f" ,
"value" : "pulseaudio.duckdns.org"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"data" : " U E s D B B Q A C Q A I A D F 0 a 0 h T E L H f 2 B k B A A B A A g A g A B w A Y z M 0 Z m I x N W M 1 Z j k z Y z J i Z D F i O G E x Y m E y O T U 2 N j g z N 2 Z V V A k A A z 3 X 4 l Y 91 + J W d X g L A A E E I Q A A A A Q h A A A A m W 2 z + X z W u e r A C 1 u i I P c u e U a S E K A y 23 r P T Q 3 B B D M T l P N H e I i K Z b 47 e / u F h / Z i M Q e L n S u X G x 4 T U q 1 c N f G I x n x X / L F O R j 7 z P i h b u a j 0 Q v p F W + 1 C j o I T f e 8 i / b Y D K u g M Y O e S V / 2 g m / y h l i 9 p M c k E 3 A A E i w n d M o 48 C m D C P 7 X T G m f t z Q K q X 4 / r A Y X Q e q e V T m b 1 x O S k Z p 1 k C J + 8 f S + 1 + x 8 F A r Z 5 Q N z G g N d c H A v L k v D M 8 W H d 9 s o E S X / 8 S h s l g n Z A U S D C 0 W t u P H j T H 4 b n a Y T P f e q z U G d g 2 P O 3 C U c 0 x t 2 + 9 J b a k t x i S / v M z r h e 10 n t y I + / o + m Z W k S E k r / J Z U 321 O K P j v i D d j k Y G 7 l b O S 1 B V N j Z t n J D k U L p s R m T F t H P J p a F z c 4 a 3 D C S T q j n R B c 5 g T i s p 4 B Y 5 o Z J x f a x R V I N B 5 N + X / f g o d U S Q b 1 O j i B / K U d S S / 2 O J 8 O T B B l 2 P p G b O j k 5 m s b 9 y s a r o A S X v f 4 h 1 P 2E0 b t J R 3 X 0 7 g i m j y C 7 k J 5 h s / q Z D + a b I v 7 b k g s k K B X 2 w Q 89 + w w 7 R i e s I C y Z v n i 2 d 5 x f v 6 S f g / R 6 k I k A 4 O P f S f l b a m j c V + z D F D 1 H 3 p 4 F r c Q 0 z h C G a j m h D l w I 89 x c o l I p I K 6 t S V 3 O m e y a A X X o B E v 2 g 1 z M R F y C Z H 7 m x a R / 2 / A l E A 96 j W F s u S p O Z p p F m d a G 0 Q e R 3 C o D O j v w u + 4 P D X w U q a p n I H 8 R d U l h W N j e l P H m g p q s t L z X J / 6 + V 8 u d V r e g f o t 8 K w R t + A z S X Q G 1 H W 7 / A i E u 6 w M 3 G d I 5 m u U t e A Y / Z q f E n p h w O K 0 U b A J P T B P s 2 c n 7 H 9 N v a P p J 40 c v d X Y O W C T D h c 2 n h i E z y 2 / Y X j F 0 / Q 1 F B P E Z X 6 T b d b 0 F V g V e O d 70 R P J g 1 h s m O f m e 6 Z W 57 G s R A i I I w k 4 l 6 M z 99 s z 3 b 3 q 1 u G y d s e n d Z I q I z M E J n O Q w L 6 v 1 / + t d l y Z y s 3 s W N u R P l o 3 I D 4 + I I L y / 107 m k H z E U K k q i X f f 9 K F r b P 1 y N l 11 x S F v j 3 O 54 N G P I 9 t d F 1 x 3 b 48 D I I a 1 O B U 8 n w O C 25 k z + / k f U F 5 A Y D 9 X g 4 x / v E D O 7 / l G w 5 O 54 V E P 0 B B h m p 8 j N 6 P C + g s 0 d 6 b N W e d T Q 5 o y 6 t / 8 u e H s + V 6 d Z n M S q 9 d 0 R s Y 73 g 3 I n 0 p I P W A R P x X l l I r 5 k H m F C 3 f q C x T L Z a w m s Z Y X m c I e 2 a X i j X 2 + T i p T f X r Q i T B 39 I e e M g 3 u Y / D R 3 e l W 3 J J F h T w l a H V D y V S t 9 j 3 o m x h I 8 f N p x i I D + U a / o R g N 8 y L r F c N G O V 9 K B 7 j D g I C 5 m 3 y O 9 r 0 X t / L T 9 M U B 4 A A w d N N h t G d 0 2 k p K b 2 H 1 X A G S N v s 0 y A d F j s l h j Z o g x x o O Y U c V U N o 5 W E o k A u v z i o V 87 / G 2 U 4 m 8 t 5 A x M Q 2 H u J J a 7 q b Y x o H y R Q P 0 Q v Z E l g W y w 19 X 1 P C + K a g Z 7 R u T Z s Z t 6 p x T H v / o n t w r l P d r 6 L M B D e j e D q A 3 q B l V d 6 X v 0E9 T 7 R q o 9 + R G 1 S J H N F U C a 4 Z M z 3 C O G M Z v / n + X h g J r E P + w N G S u E u 182 m d D q t g o S M R n I a c Y 3 h + x X X f V 8 m M c q 0 M 2 a B N 9 z c M v x z f d + s H Z W N H g K 4 D C Y f q G 0 w t q H F + j O a r R o j b d B F D h i D g h q r B V W j P d R d 1 E j b v H j j y o 4 L o l w i O m 2 / 6 Y s Y z 9 R K 5 l Z A b 5688 L o f e v 9 v H T H A a + Y 6 q 4 E n e N o v B H S 6 e F l G h K X B F 3 G p H s W G v N u X h H X o 1 M 4 m K P z m y c w p I T / y B Q C O f b Q L + 4 E I T h 7 Z g R U a + V i 0 R 7 d E L e w t q / D i u h 7 / z u L J / a + + E Q U X N P d q 3 Z s h x b R s A f 98 s m f x 1 Y R q v C J Y U U v e w c W f y k x L F D D H F W J 8 / o o D f 9 W Q I E q 9 t 7 w W O Q 3 O e s j 3 P 0 2 J y f 9 U Q v F E n A 6 W 8 x g k 2 r P B / p c j o 3 h U m F A g q y j f y 6 c z 0 y E S K i 3 y v v 1 Z b I k T k G V 207 s Z t J L 6 Y 4 A 9 M n A h 7 + S 2 / M p r w e I V A P L S b B r J s b 3 m t P 3 P 8 R m 1 U l j j 3 M V + E O Z W E 5 H x U m I v E 1 h L a G 3 a S k I r C 2 P F I L f L u z o 6 b c V z L h K B 3 v q W S N u Q y o i b T p v 2 y A b 2 I i h 8 / 6 S 5 s W M f i k T z w R S Q A Z v L o o 6 x B b C o 83 r h n 7 b k 2 q R 1 Z a 4 W P u O t G 6 A l d c p X R P D i Y z h 5 x 7 D 6 R O T / + P 6 M E 25 + o S r U b S c w 6 X F z 6 s 8 H c 6 Z t J Q G 9 m J S u 7 n n H 1 d a 7 u z z f F n 5 Y e 1 v 55 O s 62 m F z H u T E n 3 n d E B z a t S M x X n V P s 14 s V w //YVHdvZfyJVMaD8vR5bN0NL6bgH3Y/A0PkIX0E9aiUYnEKB0vkpfO7c/ytmJhlFoDROW9YSlGb3HCeogqkb+iYLR8qxvk0SWS2TQSA6VGzJHqnVnu49LqznPDyOEQRnIi7sUacMPkKuPcy2+neY1QT0a07/sIkePzam/hgcE4sQrXkyk+iIHCIdkblo0VHUFuEzESh4Kdo7rb4Ouo3O9F9v+msKrbcijl45Z4aXZT1o7RS3wnffQ3wYrOPKfw3dOsbNWaUA8jfkI+0N5NQsOC6kmvKD73uYPETC6qqC30y901B6sTuH3ECOabAdYWxGdwbCWxdD4U6o2B3LRC+ua7nwTEVmXdJX7s3EWqZnw76+czCJRvcMBIbEyPJcv4rhokoVv2/klK9azhZWeqdeYmaSRiADhJQBRTrP9JYVnRi8i8gw2cJ8RI8kwgHlK3uANXz2Cgkfk/K4TT4EvINrGI0y3GIxYCWsSmYxdES4DO7MtEOZUHR8q8bZ75E0P9mOfmw/ecjO8x9jjGgkg9a503Knm15T0rFnT4pgGc/7Ab8XqJeDNAYNpPbK/vfCoHDRXBOkdAU6pDU/V+aLRE9l6SaVC3A2/kcoYjiJDuVdhzeH8m/paXq0hXD1qe+YypwPzPqKTl7vJY8zINt+pORHW3clg7dM9b7phcLJWUOzjQfcshu9tlMERdfPl53KYv3uhhqbUXGWgiEpENF6Cf3Cs6BDi3AzB6xQGRN0iL67wCzPK/cnTh41LY61S/CuD/NKrUfLNNp/dIfw0uP6ckvqd5nxh7Jl1AKRmQLdUaLhwB/gi4MLQUWMPi/QsgNK5zT+UgPrOpzvMAiMxJ+ffxrzYssyU1iwdzntX7JbB86StpAzW3VPJVpJ5W6V0Dg3Rc2mf3OqmXXylPKYKTw+vI0ydmvp4mGdePICrfugpPk0TSEexlsMtKcSZ7u4PkEGoyTDoDbsWsDr6ZPA9P9nq1aVv4II6svHy7dkFjbJNyMGHzjf1N8k/VrSjjHOCh8KFkQ3sx7wRHDeVduuu/WgCPMUelkJEmM12upIcZ0elcK+L2bAkAnid4OS2EH5Qk6wf5FCqWFPlTzEArFqZyAdDuFKAfekiDMpVZl6w52YvhYPAfsc7pSSsbdMceGP/ZhL+b2TY0rJjz5OE4qkn3GEHYVNW14hOjWzFJ2s0IEIekpV6zMhJcMmedrsPxs0ZyzqOi3nR7wUsV5Rc2qs/NKaIWT28UciQnj/863/0Y0n6W/oKbjVEij4r0rMQ0at8Sn0I9/8dv+o267WpUPY8ILrI3Y0LTcLCrpI33/xLdjPEG3lGOMJzZQ3wBPVg4HizTJXuIo99WVBH0042rTaSfh+R+HqHqfPlHeGhcaEZ3zd60UR9BRJ6ugK3TOwmz7hLzC46xTEWn0eUvibC+kYaYW9lYbJnxnA5XUHaBLrE7uQvQnKRS0trDPDdJDOqaAN4e+NJ7u+7ylcQsFxiWHxSK5Ls97p/Z1YC59CPUCT852Bw4hDw+F8nc8H1uiX6K2o7h5co35qNsub4IDQw5WOinoimUdkF0oj16gKK2VyeJXejM4lEtmeYZKV1pgkBMCpnhE+qbnlzf0L7GwoeQWFPjwrha3oZwsBKJ4xYErL2bMjr7KnaJFA1kfstzYWJxXM9WUp4W5lwKNiZIw3YcOkoY29mxjjPlmaedcQTsmZcc6ysp9haiuYMaxcRyPD7n0oV2jb3cTjrALZ4X5VrKH2ArE9UcmCvOGcvGKUxh38TCiiIpFUKKjyv69R3BnmFqb1YS6VthIh00VomLuKVpb2hnOnnpDid53PXrms+rYAitvKELA0uy
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706813" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "56e2d73d-3838-4a28-9bd1-414a950d210f" ,
"value" : "surprise.exe|c34fb15c5f93c2bd1b8a1ba29566837f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706814" ,
"to_ids" : true ,
"type" : "filename|sha1" ,
"uuid" : "56e2d73e-cfc4-4c5c-93cb-405b950d210f" ,
"value" : "surprise.exe|bee22913ad9d6c9a37152aa65daa6bd9beca00eb"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457706814" ,
"to_ids" : true ,
"type" : "filename|sha256" ,
"uuid" : "56e2d73e-6d5c-4891-b2c5-4b1b950d210f" ,
"value" : "surprise.exe|ddb0c54759fada5cff7bb60237ace601fcbd526208627fdee170d9ed41e91c7a"
} ,
{
"category" : "Payload installation" ,
"comment" : "DECRYPTION_HOWTO.Notepad" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457707414" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "56e2d848-0f6c-41cc-b03f-6599950d210f" ,
"value" : "What happened to your files ?\r\nAll of your files were protected by a strong encryption.\r\nThere is no way to decrypt your files without the key.\r\nIf your files not important for you just reinstall your system.\r\nIf your files is important just email us to discuss the price and how to decrypt your files.\r\nYou can email us to nowayout@protonmail.com and nowayout@sigaint.org \r\nWrite your Email to both email addresses PLS\r\nWe accept just BITCOIN if you dont know what it is just google it.\r\nWe will give instructions where and how you buy bitcoin in your country.\r\nPrice depends on how important your files and network is.it could be 0.5 bitcoin to 25 bitcoin.\r\nYou can send us a 1 encrypted file for decryption.\r\nFeel free to email us with your country and computer name and username of the infected system."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457707851" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "56e2db4b-2904-45ab-a9c0-4ac702de0b81" ,
"value" : "https://www.virustotal.com/file/ddb0c54759fada5cff7bb60237ace601fcbd526208627fdee170d9ed41e91c7a/analysis/1457588432/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Automatically added (via surprise.exe|bee22913ad9d6c9a37152aa65daa6bd9beca00eb)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1457708314" ,
"to_ids" : true ,
"type" : "filename|md5" ,
"uuid" : "56e2dd1a-1830-4809-9765-4f01950d210f" ,
"value" : "surprise.exe|c34fb15c5f93c2bd1b8a1ba29566837f"
}
]
}
}