2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2018-08-20" ,
"extends_uuid" : "" ,
"info" : "OSINT - New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles" ,
"publish_timestamp" : "1539157331" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1539157322" ,
"uuid" : "5bbb1f88-fe84-4834-bccd-7916950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#2c4f00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#3b7500" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"malware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:ransomware=\"Matrix\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539079531" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5bbb2419-ffb4-41f3-ae26-215d950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539079517" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5bbb4c93-9990-42d6-a210-42cc950d210f" ,
"value" : "A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.\r\n\r\nThis ransomware variant was first discovered by security researcher MalwareHunterTeam and is installed through computers running Remote Desktop Services and being openly connected to the Internet. The attackers will scan ranges of IP addresses to find open RDP services and then brute force the password." ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539071519" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "5bbc5e1f-dabc-4346-8882-5450950d210f" ,
"value" : "pabfox@protonmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539071519" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "5bbc5e1f-777c-421d-9604-5450950d210f" ,
"value" : "foxhelp@cock.li"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539071520" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "5bbc5e20-28dc-457e-891c-5450950d210f" ,
"value" : "foxhelp@tutanota.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073048" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc6418-2098-45c6-8ed7-602f950d210f" ,
"value" : "%AppData%\\random.vbs"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073049" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc6419-1050-491c-83d7-602f950d210f" ,
"value" : "%AppData%\\random.bat"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073049" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc6419-bd6c-43d1-a2d7-602f950d210f" ,
"value" : "%AppData%\\random.bmp"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073050" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc641a-8154-4851-aadc-602f950d210f" ,
"value" : "%DownloadedFolder%\\.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073050" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc641a-b840-4736-a500-602f950d210f" ,
"value" : "%DownloadedFolder%\\.bat"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539073089" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5bbc6441-7be4-4677-9ab0-6007950d210f" ,
"value" : "HOW TO RECOVER YOUR FILES INSTRUCTION\r\nATENTION!!!\r\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \r\nby our automatic software. It became possible because of bad server security. \r\nATENTION!!!\r\nPlease don't worry, we can help you to RESTORE your server to original\r\nstate and decrypt all your files quickly and safely!\r\n\r\nINFORMATION!!!\r\nFiles are not broken!!!\r\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\r\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\r\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\r\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\r\n\r\nHOW TO RECOVER FILES???\r\nPlease write us to the e-mail (write on English or use professional translator):\r\nPabFox@protonmail.com \r\nFoxHelp@cock.li\r\nFoxHelp@tutanota.com\r\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\r\n \r\nIn subject line write your personal ID:\r\n[id]\r\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \r\n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \r\n\r\nOUR ADVICE!!!\r\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\r\n\r\nWe will definitely reach an agreement ;) !!!"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Ransomnote" ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgF3APiAwEiAAIRAQMRAf/EABoAAQADAQEBAAAAAAAAAAAAAAACAwQBBQb/xAAYAQEBAQEBAAAAAAAAAAAAAAAAAQMCBP/aAAwDAQACEAMQAAAB9Wzvndc7p+L7BJd5861MvoFKeaS5LpBdWRRkF1ZFcKVwpXClcKVwpXClcKVwpXClcKVwpXClcKV0StmtLFdxFSLlIuVC1ATRgWnDrnQr6TV9JlJcQJoaSl2ktcgWLJFK4UrhSuFK4UrhSuFK4UrhSuFK4UrhSuFK4UrsRenMpcoNCVhSuFK4Us2kLqjinYeMm149DFGzm5vUyD0fOJ130PO0GmJzY2REohXPolTcAAAAAAAAAAAAAEJjNO4Zu6BnhrGSWkZmkZ+aRXRrGeOoY+6xjlqGRrFENQytQw65imOgY5ahzoAAAAAAAAAAAAAKbgBVDQITCntoAonYFVtBzRnGFW1z80acWT5dLnhqynPW8n1pfUjKrDSUap1LlPLN8ZR56lVbQclmsJM9xonGQBnVC5nmWaPP9AArgrLeUxNSvhdXVaShXI0yADLLNYXcr4WWZJF3YRNUqrQCjlHDSzSNHKuGi3LqAM/ahYomXTxbSYI06MBfKms2zhMAAAAAAAAAAAAAAA
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539074880" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5bbc6720-8aa4-4c50-b6d9-602f950d210f" ,
"value" : "ransom-note-redacted.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Ransomnote - Desktop background" ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgCMAPIAwEiAAIRAQMRAf/EABkAAQADAQEAAAAAAAAAAAAAAAABAgMEBf/EABgBAQEBAQEAAAAAAAAAAAAAAAABAgME/9oADAMBAAIQAxAAAAHwG989uVquMW+KF7Lk0JnG+IWsZTtmtZ2iayjfOzNerBpDWc7UKNS4tas0l1tcjSyYTGzOUaXaxtvWbwbUuM20rhOtEosZiNLtYLmaTaVpPSnXlaWvPFpvNcbSl5wLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOhSMd961q3rzb4XnpvjedDOGdcdcbnWIodEK563RUlWLi+Gmeue81jPWNq0Fs5ubqJcujDbXOaWtnrlbLS8tKxWdNYrUdFKrS2drz0UTefTzdFzbnbS3550arlfO8trKTrZTQRW64RrlrzwLkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvebxbZIjXMhOhlOsri6M1yXszlPRE3zm1xlbWZ05m+d51jazWEbXjmWvc1rctGuk1zNdDma3s543xZN03zujK5pOmi87a8vNeVmU63OdvaXmdEGDcYOjC5qLgaS0a1azXqzB0LzzPQvNG1152uTKNJM2l2sI2sc5N5wnpm+ZrMuLfOzNtikxbdedfVeZfRnCdNG
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539074924" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5bbc6b6c-f4b8-4833-a2f0-6012950d210f" ,
"value" : "fox-background.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "At the end of the encryption process, a random named .vbs file in the %AppData% folder will be launched that is used to register a scheduled task named DSHCA. This schedule task is used to run a batch file with administrative privileges that will perform a cleanup of the computer and to disable various repair features." ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8IAEQgBfgPQAwEiAAIRAQMRAf/EABsAAQACAwEBAAAAAAAAAAAAAAAEBQIDBgcB/8QAGAEBAQEBAQAAAAAAAAAAAAAAAAIBAwT/2gAMAwEAAhADEAAAAb3bs3evyxWeezpYzN2KlRMfW3aRW3aRUqPrFtzI6UIqVX43JTUVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVIk5tcsWK5tmFckbc2EfI6/UbbPTZD37OnCXsTq5clZ3e7pPn8juHLt5/J7fE86u+hlnA4+gCkh9O2fP/noLK84k91njgPvftyuWKprliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliKnC2+ZtX8tU1TyJudZzk+0RXOVPaRPP7qOD1Ln15q6nw/V4d3Tczf7z5ufX/J69X9jk0O2ssVWlhVT6mq21Pydv5PP3O5Mobj
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539076919" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5bbc7337-c298-4840-bfd9-7f7f950d210f" ,
"value" : "create-task.jpg"
} ,
{
"category" : "Payload delivery" ,
"comment" : "This batch file is located in the %AppData% folder as well and will delete shadow volume copies using WMIC, powershell, and vssadmin, remove Windows recovery startup, and delete the VBS file, scheduled task, and itself." ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A Q A A A Q A B A A D / 4 g l 0 S U N D X 1 B S T 0 Z J T E U A A Q E A A A l k A A A A A A I A A A B t b n R y U k d C I F h Z W i A H 1 A A M A B c A C Q A B A A l h Y 3 N w T V N G V A A A A A B T R U M g R l B E I A A A A A A A A A A A A A A A A Q A A 9 t U A A Q A A A A D T L F N F Q y A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A 1 j c H J 0 A A A B I A A A A D h k Z X N j A A A B W A A A A I B k b W 5 k A A A B 2 A A A A H p k b W R k A A A C V A A A A G J y W F l a A A A C u A A A A B R n W F l a A A A C z A A A A B R i W F l a A A A C 4 A A A A B R 3 d H B 0 A A A C 9 A A A A B R y V F J D A A A D C A A A A g x n V F J D A A A F F A A A A g x i V F J D A A A H I A A A A g x j Y W x 0 A A A J L A A A A B R 2 a W V 3 A A A J Q A A A A C R 0 Z X h 0 A A A A A E N v c H l y a W d o d C A o Y y k g M j A w M y B T Y W 1 z d W 5 n I E V s Z W N 0 c m 9 u a W N z I E N v L i w g T H R k A G R l c 2 M A A A A A A A A A J F N h b X N 1 b m c g L S B O Y X R 1 c m F s I E N v b G 9 y I F B y b y A x L j A g S U N N A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A Z G V z Y w A A A A A A A A A d U 2 F t c 3 V u Z y B F b G V j d H J v b m l j c y B D b y 4 s I E x 0 Z A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A G R l c 2 M A A A A A A A A A B S A g I C A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A B Y W V o g A A A A A A A A f D Q A A E M M A A A B 0 1 h Z W i A A A A A A A A B V Q Q A A p C Y A A B h W W F l a I A A A A A A A A C V g A A A Y 0 Q A A u Q N Y W V o g A A A A A A A A 8 z 4 A A Q A A A A E W c G N 1 c n Y A A A A A A A A B A A A A A A A A A Q A D A A c A C w A R A B g A I A A p A D Q A Q Q B O A F 0 A b g C A A J Q A q Q D A A N g A 8 g E N A S o B S Q F p A Y s B r w H U A f s C J A J P A n s C q Q L Z A w o D P Q N y A 6 k D 4 g Q c B F k E l w T X B R k F X Q W i B e o G M w Z + B s s H G g d r B 74 I E w h q C M M J H Q l 6 C d k K O Q q c C w E L Z w v Q D D o M p w 0 W D Y Y N + Q 5 u D u U P X g / Z E F Y Q 1 R F W E d k S X h L m E 28 T + x S J F R k V q h Y / F t U X b R g I G K Q Z Q x n k G o c b L B v U H H 4 d K R 3 X H o c f O h / u I K U h X i I Z I t c j l i R Y J R w l 4 y a r J 3 Y o Q y k S K e Q q t y u O L G Y t Q C 4 d L v w v 3 j D B M a c y k D N 6 N G c 1 V j Z I N z w 4 M j k q O i U 7 I j w h P S M + J z 8 u Q D Z B Q U J P Q 19 E c U W F R p x H t U j R S e 9 L D 0 w y T V d O f 0 + p U N V S B F M 1 V G h V n l b X W B F Z T l q O W 9 B d F F 5 b X 6 R g 8 G I + Y 49 k 4 m Y 3 Z 49 o 6 W p G a 6 V t B 25 r b 9 J x O 3 K n d B V 1 h X b 4 e G 555 n t g f N 1 + X X / f g W O C 6 o R z h f + H j o k f i r K M S I 3 h j 3 y R G Z K 5 l F y W A Z e p m V O b A J y v n m G g F a H M o 4 a l Q q c B q M K q h a x M r h W v 4 L G u s 3 + 1 U r c o u Q C 627 y 4 v p j A e 8 J g x E j G M s g g y g / M A c 32 z + 7 R 6 N P l 1 e T X 5 t n q 2 / H d + + A I 4 h f k K O Y 96 F T q b e y J 7 q j w y v L u 9 R X 3 P v l q + 5 n 9 y v //Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8IAEQgBwAThAwEiAAIRAQMRAf/EABwAAQADAQEBAQEAAAAAAAAAAAAEBQYDAgEIB//EABgBAQEBAQEAAAAAAAAAAAAAAAABAwIE/9oADAMBAAIQAxAAAAGysOnb2eSK9+7OLp9Xk++Y+vHg7I0o+JXmo6VHjy6+6jpQiuvGPqUqKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCK7ypa5YornWYVyR7liJVbzrIcPvGnbgs9PP/HUZMv7T0Tu7krS67d8/z2y2DPXB9tsj+cz9utxPzbjA+P6CSnqNer+eev6C5v8AN/f9A61gLLWrK5YrzXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLE
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1539077522" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5bbc7592-d148-4e53-83d3-7fe6950d210f" ,
"value" : "cleanup-batch-file.jpg"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1539072768" ,
"uuid" : "5bbc6300-c92c-4478-9d96-5456950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1539072768" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5bbc6300-59d4-485c-bdb8-5456950d210f" ,
"value" : "0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1539072769" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5bbc6301-77a0-4c6e-96c0-5456950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Ransomnote" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1539072918" ,
"uuid" : "5bbc6396-dbdc-46ee-b882-60c7950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1539072918" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bbc6396-76a8-4746-a3e6-60c7950d210f" ,
"value" : "#FOX_README#.rtf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1539072922" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5bbc639a-f928-4a2f-94fd-60c7950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1539157295" ,
"uuid" : "12119283-9931-40f3-bff6-97439d358a0d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "12119283-9931-40f3-bff6-97439d358a0d" ,
"referenced_uuid" : "b26bb70c-ce60-4296-a44f-16928c6826f0" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1539157299" ,
"uuid" : "5bbdad33-8950-4e3b-917b-4b9602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1539157292" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d2931bcc-ce43-400b-a94d-956645ef35a5" ,
"value" : "76b640aa00354e46b29ca7ac2adfd732"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1539157297" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "e80c6f2f-d9b5-4d49-b8f0-0e6edb3b3846" ,
"value" : "afebf9d72ba7186afefebf4deda87675621b0b8b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1539157297" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "c48bdc71-5bc5-41a0-b309-d009f2090103" ,
"value" : "0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1539157298" ,
"uuid" : "b26bb70c-ce60-4296-a44f-16928c6826f0" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1539157298" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "e2030b2e-550b-4a1b-a93e-1c02dee0ad73" ,
"value" : "2018-09-27T06:49:04"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1539157298" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "67045a09-7660-427b-9976-0c4217fbbb3c" ,
"value" : "https://www.virustotal.com/file/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7/analysis/1538030944/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1539157299" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ca8b504d-51aa-4e7b-976d-6953f54b7fd2" ,
"value" : "48/68"
}
]
}
]
}
}