2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2016-04-12" ,
"extends_uuid" : "" ,
"info" : "Rokku Ransomware shows possible link with Chimera" ,
"publish_timestamp" : "1460444472" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1460444381" ,
"uuid" : "570c9b9a-dc20-448a-8f24-443f950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444092" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "570c9bbc-3e44-4a98-b0d3-4aea950d210f" ,
"value" : "Rokku is yet another ransomware, discovered in recent weeks. Currently, it\u00e2\u20ac\u2122s most common distribution method is spam where a malicious executable is dropped by a VB script belonging to the e-mail\u00e2\u20ac\u2122s attachment.\r\n\r\nThe building blocks of Rokku reminded us of the Chimera ransomware. That\u00e2\u20ac\u2122s why we decided to take a closer look, not only at the internal structure of this malware but also at the similarities and differences between these two products."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444104" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9bc8-fcd0-4608-b703-4848950d210f" ,
"value" : "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable (malware)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444173" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "570c9c0d-b684-4990-8b90-4dcc950d210f" ,
"value" : "97512f4617019c907cd0f88193039e7c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (malware)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444173" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "570c9c0d-bc48-4fc6-b1dc-4f17950d210f" ,
"value" : "5a0e3a6e3106e754381bd1cc3295c97f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "payload: encryptor.dll (malware) - the analysis" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444173" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "570c9c0d-addc-4cd3-85fd-4956950d210f" ,
"value" : "be6552aed5e7509b3b539cef8a965131"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable: decryptor.exe (decryptor)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444235" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "570c9c4b-6ad4-427e-8c07-489e950d210f" ,
"value" : "82fea20bb4c96050b4cf55f83de0f3e6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (decryptor)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444235" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "570c9c4b-53c4-464c-9303-4c91950d210f" ,
"value" : "1be4a0932a66ebdb9ede56214d8ccdf9"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "Finally, removing backups and stopping backup services is performed \u00e2\u20ac\u201c by execution of the following commands:" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444292" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "570c9c84-3d14-4715-b999-48cf950d210f" ,
"value" : "wmic shadowcopy delete /nointeractive\r\nvssadmin delete shadows /all /quiet\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\VSS\" /v Start /t REG_DWORD /d 4 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v DisableSR /t REG_DWORD /d 1 /f\r\nnet stop vss\r\nnet stop swprv\r\nnet stop srservice"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444381" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "570c9cdd-39d8-4f9e-802c-402702de0b81" ,
"value" : "09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444381" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "570c9cdd-79fc-450e-86b0-486a02de0b81" ,
"value" : "27e46208f348de4df378c8646c14f499d2290793"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444382" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9cde-1aac-4cde-b159-451302de0b81" ,
"value" : "https://www.virustotal.com/file/09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc/analysis/1459878434/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444382" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "570c9cde-b944-4147-a64c-42fd02de0b81" ,
"value" : "e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444382" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "570c9cde-06ac-4ace-8186-4ff702de0b81" ,
"value" : "035af05addaf8cf9c103bbb27b355477ce336cc1"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444383" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9cdf-4e74-4cf3-b93a-4e9c02de0b81" ,
"value" : "https://www.virustotal.com/file/e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87/analysis/1459878217/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444383" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "570c9cdf-7d2c-4580-bef9-44be02de0b81" ,
"value" : "186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51"
} ,
{
"category" : "Payload delivery" ,
"comment" : "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444383" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "570c9cdf-e470-4fbf-b638-46eb02de0b81" ,
"value" : "da1ad69f282ae49a0af6aa7bef190f434ac18c7b"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444384" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9ce0-0140-46c7-b4b9-4a6402de0b81" ,
"value" : "https://www.virustotal.com/file/186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51/analysis/1459758054/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444384" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "570c9ce0-f1b0-4d89-b14f-4ff202de0b81" ,
"value" : "1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983"
} ,
{
"category" : "Payload delivery" ,
"comment" : "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444384" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "570c9ce0-92c4-4f1c-a35c-403102de0b81" ,
"value" : "49239500b0510ce7643c48ebfaf6c9e35aa1cce5"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444385" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9ce1-ac20-4b2a-8b30-44e702de0b81" ,
"value" : "https://www.virustotal.com/file/1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983/analysis/1459828258/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444385" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "570c9ce1-c698-48aa-b27a-46e602de0b81" ,
"value" : "438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499"
} ,
{
"category" : "Payload delivery" ,
"comment" : "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444385" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "570c9ce1-5af8-482a-a990-46c702de0b81" ,
"value" : "24cfa261ee30f697e7d1e2215eee1c21eebf4579"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1460444385" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "570c9ce1-6d14-459a-8a69-4f7502de0b81" ,
"value" : "https://www.virustotal.com/file/438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499/analysis/1459900992/"
}
]
}
}