2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2018-02-09" ,
"extends_uuid" : "" ,
"info" : "OSINT - Black Ruby Ransomware Skips Victims in Iran and Adds a Miner for Good Measure" ,
"publish_timestamp" : "1523201607" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1523201602" ,
"uuid" : "5ac763c9-0ba0-413e-ae2a-4de3950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#a0a300" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "dnc:malware-type=\"CoinMiner\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#2c4f00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:ransomware=\"Black Ruby\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#53a500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"cryptojacking\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200379" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5ac763f5-1d9c-42a5-9148-438f950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200379" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5ac7644b-a51c-443a-9d75-4189950d210f" ,
"value" : "A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can.\r\n\r\nUnfortunately, this ransomware is not decryptable at this time. If you wish to discuss or receive help, you can use our dedicated Black Ruby Help & Support topic." ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200379" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ac7678c-2d88-4bd3-8901-4813950d210f" ,
"value" : "%WINDIR%\\System32\\BlackRuby\\svchost.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "ransomnote" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200379" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ac76aa0-e3ac-408b-8f01-47db950d210f" ,
"value" : "HOW-TO-DECRYPT-FILES.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200380" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "5ac76b0a-45ac-4eff-9490-4be0950d210f" ,
"value" : "theblackruby@protonmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523019161" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5ac76d99-379c-438e-9160-4588950d210f" ,
"value" : "daea4b5ea119786d996f33895996396892fa0bdbb8f9e9fcc184a89d0d0cb85e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200380" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ac76d99-2d18-4876-9b19-450e950d210f" ,
"value" : "%WINDIR%\\system32\\BlackRuby\\WindowsUI.exe"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200381" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5ac76d9a-2f64-44f6-8261-4bd4950d210f" ,
"value" : "HKEY_CURRENT_USER\\\\SOFTWARE\\\\Microsoft\\\\BlackRuby"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1523200381" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5ac76d9a-b198-4dea-bd59-4b57950d210f" ,
"value" : "HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run \"Windows Defender\" = \"%WINDIR%\\system32\\BlackRuby\\WindowsUI.exe\""
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame." ,
"meta-category" : "network" ,
"name" : "ip-port" ,
"template_uuid" : "9f8cea74-16fe-4968-a2b4-026676949ac6" ,
"template_version" : "6" ,
"timestamp" : "1523017684" ,
"uuid" : "5ac767d4-578c-4a81-92a0-4773950d210f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1523017684" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5ac767d4-d6dc-4e79-a9b1-47ee950d210f" ,
"value" : "de01.supportxmr.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "dst-port" ,
"timestamp" : "1523017685" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "5ac767d5-8b48-4472-8b67-42fd950d210f" ,
"value" : "3333"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An address used in a cryptocurrency" ,
"meta-category" : "financial" ,
"name" : "coin-address" ,
"template_uuid" : "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46" ,
"template_version" : "2" ,
"timestamp" : "1523019039" ,
"uuid" : "5ac76d1f-bf58-4d91-a7ba-4062950d210f" ,
"Attribute" : [
{
"category" : "Financial fraud" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "address" ,
"timestamp" : "1523019039" ,
"to_ids" : true ,
"type" : "btc" ,
"uuid" : "5ac76d1f-e5b4-45a9-b4f8-43f9950d210f" ,
"value" : "19S7k3zHphKiYr85T25FnqdxizHcgmjoj1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "symbol" ,
"timestamp" : "1523019040" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5ac76d20-64a0-40ec-98a0-459f950d210f" ,
"value" : "BTC"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "7" ,
"timestamp" : "1523200385" ,
"uuid" : "68285c12-30a0-45b5-8a81-d78abd93c1ce" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "68285c12-30a0-45b5-8a81-d78abd93c1ce" ,
"referenced_uuid" : "bf3ce3aa-02e3-486d-85f0-0d583dc7c29c" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1523200384" ,
"uuid" : "5aca3180-9fe4-4c24-a5e8-61c102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1523200382" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5aca317e-92e4-458c-8185-61c102de0b81" ,
"value" : "bc5b077127e064e7e6b715f2d37abb80c5bf98cc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1523200382" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5aca317e-f6f0-4b17-88c1-61c102de0b81" ,
"value" : "daea4b5ea119786d996f33895996396892fa0bdbb8f9e9fcc184a89d0d0cb85e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1523200382" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5aca317e-f87c-4b2c-81dc-61c102de0b81" ,
"value" : "81e9036aed5502446654c8e5a1770935"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "1" ,
"timestamp" : "1523200383" ,
"uuid" : "bf3ce3aa-02e3-486d-85f0-0d583dc7c29c" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1523200383" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5aca317f-c384-42de-8ecc-61c102de0b81" ,
"value" : "https://www.virustotal.com/file/daea4b5ea119786d996f33895996396892fa0bdbb8f9e9fcc184a89d0d0cb85e/analysis/1521543214/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1523200383" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5aca317f-9db8-4948-ad95-61c102de0b81" ,
"value" : "48/64"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1523200383" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5aca317f-e7f4-465e-91cc-61c102de0b81" ,
"value" : "2018-03-20T10:53:34"
}
]
}
]
}
}