misp-circl-feed/feeds/circl/misp/5881bff7-0bd0-4c84-a206-4eb4950d210f.json

266 lines
128 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2017-01-20",
"extends_uuid": "",
"info": "OSINT - Spora - the Shortcut Worm that is also a Ransomware",
"publish_timestamp": "1484898922",
"published": true,
"threat_level_id": "3",
"timestamp": "1484898903",
"uuid": "5881bff7-0bd0-4c84-a206-4eb4950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:preventive-measure=\"Backup and Restore Process\""
},
{
"colour": "#001cad",
"name": "estimative-language:likelihood-probability=\"very-likely\""
},
{
"colour": "#420053",
"name": "ms-caro-malware:malware-type=\"Ransom\""
},
{
"colour": "#2c4f00",
"name": "malware_classification:malware-category=\"Ransomware\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898385",
"to_ids": false,
"type": "link",
"uuid": "5881c051-8680-4604-8ee6-4195950d210f",
"value": "https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898407",
"to_ids": false,
"type": "text",
"uuid": "5881c067-6158-41a5-8bd6-4eb7950d210f",
"value": "Spora spreads via USB drives like Gamarue and Dinihou aka Jenxcus whilst also encrypting files. The sophistication of this threat could easily make it the new Locky. We discuss its infection and encryption procedure and show how it uses statistical values about encrypted files to calculate the ransom amount."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898514",
"to_ids": true,
"type": "filename",
"uuid": "5881c0d2-7b5c-499d-9582-4c61950d210f",
"value": "\u00d0\u00a1\u00d0\u00ba\u00d0\u00b0\u00d0\u00bd-\u00d0\u00ba\u00d0\u00be\u00d0\u00bf\u00d0\u00b8\u00d1\u008f _ 10 \u00d1\u008f\u00d0\u00bd\u00d0\u00b2\u00d0\u00b0\u00d1\u20ac\u00d1\u008f 2017\u00d0\u00b3. \u00d0\u00a1\u00d0\u00be\u00d1\u0081\u00d1\u201a\u00d0\u00b0\u00d0\u00b2\u00d0\u00bb\u00d0\u00b5\u00d0\u00bd\u00d0\u00be \u00d0\u00b8 \u00d0\u00bf\u00d0\u00be\u00d0\u00b4\u00d0\u00bf\u00d0\u00b8\u00d1\u0081\u00d0\u00b0\u00d0\u00bd\u00d0\u00be \u00d0\u00b3\u00d0\u00bb\u00d0\u00b0\u00d0\u00b2\u00d0\u00bd\u00d1\u2039\u00d0\u00bc \u00d0\u00b1\u00d1\u0192\u00d1\u2026\u00d0\u00b3\u00d0\u00b0\u00d0\u00bb\u00d1\u201a\u00d0\u00b5\u00d1\u20ac\u00d0\u00be\u00d0\u00bc. \u00d0\u00ad\u00d0\u00ba\u00d1\u0081\u00d0\u00bf\u00d0\u00be\u00d1\u20ac\u00d1\u201a \u00d0\u00b8\u00d0\u00b7 1\u00d0\u00a1.a01e743_\u00d1\u20acdf.hta"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898568",
"to_ids": true,
"type": "sha256",
"uuid": "5881c108-c4fc-4a3d-a379-47d4950d210f",
"value": "3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553"
},
{
"category": "Payload delivery",
"comment": "Script.Trojan-Dropper.Spora.G - close.js",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898595",
"to_ids": true,
"type": "sha256",
"uuid": "5881c123-f2f8-443f-9f38-4f64950d210f",
"value": "e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a"
},
{
"category": "Payload delivery",
"comment": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898648",
"to_ids": true,
"type": "sha256",
"uuid": "5881c158-4b98-444b-a384-4b3c950d210f",
"value": "dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf"
},
{
"category": "Payload delivery",
"comment": "Corrupt Word document\t doc_6d518e.docx",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898679",
"to_ids": true,
"type": "sha256",
"uuid": "5881c177-8a80-44cb-a014-4d27950d210f",
"value": "0ba39054a70802d0b59a18b873aab519e418dc9b0c81400d27614c9c085409ad"
},
{
"category": "Payload delivery",
"comment": "Ransom note",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898723",
"to_ids": true,
"type": "filename",
"uuid": "5881c1a3-1400-4a34-b267-4aca950d210f",
"value": "RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.HTML"
},
{
"category": "Payload delivery",
"comment": "Contains statistics, campaignID, username, locale, timestamp and private RSA key C1; encrypted",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898724",
"to_ids": true,
"type": "filename",
"uuid": "5881c1a4-9518-4365-8ea5-403f950d210f",
"value": "RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.KEY"
},
{
"category": "Payload delivery",
"comment": "List of encrypted files; encrypted",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898724",
"to_ids": true,
"type": "filename",
"uuid": "5881c1a4-7ab8-4d54-83c7-452d950d210f",
"value": "RU302-15XRK-GXTFO-GZTET-KTXFF-ORTXA-AYYYY.LST"
},
{
"category": "External analysis",
"comment": "spora encryption",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/2wBDAAICAgICAgICAgIDAgICAwQDAgIDBAUEBAQEBAUGBQUFBQUFBgYHBwgHBwYJCQoKCQkMDAwMDAwMDAwMDAwMDAz/2wBDAQMDAwUEBQkGBgkNCwkLDQ8ODg4ODw8MDAwMDA8PDAwMDAwMDwwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAz/wgARCAJnA34DAREAAhEBAxEB/8QAHAABAAEFAQEAAAAAAAAAAAAAAAYBAwQFBwII/8QAGgEBAAMBAQEAAAAAAAAAAAAAAAECAwQFBv/aAAwDAQACEAMQAAAB411c4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAAULkqHiFQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAGRaZh19Ei6dsu1qGuzpF+XCK82FIAAAAAAAAAAAAAAAAAAAUKgAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVABtNb9I9HtybSAANRlnzfzuOzWAOm1t9J5XhFo+Vdc6gAAAAAyTu1LxiY5jauKAAAAAAS2JiMxPKzA7RUAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAMi09U9TvybSJTjE8wpdhyHt0w5DRYZc387jA+uctIDMcM0p1qluw0tuE/Gm2X1Hlpv4n5f1z7tneQQ4bpXuWd+f2r87aUzTqFbcwtXZQn8WzIcWvXsdLaeWIjZp1Uxz+YnlZ3ifBgo6JW3LbVvGmlNonHIxMSmJz4cavWoAAAAAAAAAAAAAAAAAAAAAAAABQqChOe3plvX0Adh4s+O9umRDqfJTkvZcDm3ncWjwzGafSuV+t1vwi9NPMSeJ9EsifmnSn01leYRb4K3xmdZ7RS3YK3+At8cw7rnfmVq2ZCVw15DJjUy7BW3HbVntZ0ExOItkQ5HevYK2HHbV69S1ZchtXr1baZEPtHRazyO0ewAAAAAAAAAAAAAAAAAAAAAAAAChUFDrfrd+XawmuFen8lOd9Vx0blpyLt0i2siL82EB4OUfRud/Z3TO/BNKT2syiJ+Udc/rfLTmtojcx2ql/gnfH7Xx05jaO6Ut8Db5Zh0+tuaWrIYnwSuEJmJXExGU9ieQ2qPo+l+B3p2OluLXr1ulrEuSWr1elrcufzXq9bRGYiVo6JWeSWj2AAAAAAAAAAAAAAAAAAAAAAAAAUKg9y7F6/oiku18GfMOu4A6Zy04x26DTY58y83iqXzpFbQia9spfIOQ3rEZjewksTzy0S6sxG0bWEpidNKNzHon9ZERtGIZENfKUxN40MxrSp1ytuRWr2KltPMc6tF0mVZito1p0SsxGYxpY5mGuKgAAAAAAAAAAAAAAAAAAAAAAAAFCoPUuxev6NSkuucWej0tgWae87zOJVlXkPZoNJjlzTzeOoAJlWcWUXmAAAAAAAAAABMYnAI7MS+JiEwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqCh1T1O7ZaXpLrnFnyrs0oWy7DrHJnyHs0EQ5OeEcXNUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAJZ17znt6qHevPy0mkgDJq4x3aUOV+Xwa/OoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAKy6d6XbttdAAABDuTmhXFz1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAC/aeh+h17vbUAChEOTnhXFzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChUAAG931kPRrsNL+IjV5UjHNjrs6VAKHS9/MgePfvL4ZCsTz65prxaCnR6mN9bCEZd0w14sOumnrtKtOSLU6ttOWdbOGZds514dFXe3EyC/PC8+2V35LK2hp0T7bzuaYeoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAACgBUAAFxFtIAAAAAAAFDtdLa6XJbVqAD0jykAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAChUAAAAAAAFCZacUNz7agFDbQ18rQAAALpaOjVmUJoQuYg0wAJprwwvLuAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoVAAAAAAAAJbpx4mXZu07qJmNZgFq3yYxMJmL6d7DSy0sxKqzF7RP6zojj969OrOqlqSUQ5raABKNOSL59YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAABkTX1FpxWcaXktGpRvYm3LWmSYKNsnAJDCURPObRFpjuFLRyYqbNPH7VA2lst9bn01d9NXYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAoTvXgguXeAAAAAKAFQeCgPR6AM+c+xdPi8o5/X0tdwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQqAAAAAAAChvb4aOm4AAAAAAAAAAAodK28zm2PpgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAG5tjpq7AAAAAAAAUJ/5vdciQABeVsrAAAc+9PgoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAAAAAAoTvXgguXeAAAAABdLQB5R9Y/GfU5VLAAAAAAD5K+1+WtzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFCoAAAAAAAKGZNMSLgAD0fQFLImL2jYwsy1aJdE4Bgy5FathH1j8Z9TlUsAAAAAAPkr7X5a3MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUKgAAuFoqAAAASvTkimfWAAL59BZ35VeuqRt4nAleM6FmVojExiI+sfjPqcqlgAAAAAB8lfa/LW5gAAAAAACbRO9ieW2rQAAAAAAAAAAAAAAAAAAAAoVAAN5D6lz04Rem/icA18xvInwc8tEfmBQmmnFC8+2oAL8zsr211a7nS2lyrs9LW4jErG20vjVr0vu6ojzYxLDL6n+K+nyqWlvXzZFq+U5+lINwdfRvS4YbxdV20YWd9vtlt9sueed3D5K+1+WtzAAAAAAAyTqlbR+YsEJmAAAAAAAAAAAAAAAAAAAAKFQADaQ+n89PJrJjFLhBZjstbccvXj9qgVRRIAG91vttLxTDLcXvps6bO9rSMWsbW9seI6X3dUR5sYlhl9T/FfT5VLTrv49rrnqstLFba3O8r6ueiNJhtuNstLjttdcueed3D5K+1+WtzAAAvGXCxLyTGs4ctDMa86rWYxKpPKzxO9fQAAAAAAAAAAAAAAAAAAAKFQAChnnQKzzm0VLBQyDHKAoTzXggmXeAB6lU8QEliZ7Wdwc+mINaBQFEfWPxn1OVSwoAVBQv2jPvTVZaUKg+SvtflrcwAAOt1tOqzQ8GgmNVLcRPPbV28IhMbFMshyW0egAAAAAAAAAejyAAAAAAAAAUKgAG5O953icxy+9dlE4iMM2ydLMeDDBIr80dp0gAb3W96ZjmOY7BS2tlhom0Twa9agHlH1j8Z9TlUsAAAAAAPkr7X5a3MAACpU8g9FAeyRxMkgPJzW0VAAAAAAAPJ0Os48vJmwzi4nHRzC0VAAAAAAABQqAASaJ+kc77Eg0xjSyYT2J+cNKfQOd/lPXPWlDaWy1ddagAyrT6MOsDsdbapGITaJ4LetQDyj6x+M+pyqWAAAAAAHyV9r8tbmAAB2qlsKWTDSzHhOcWkZieQ2qAKAAAAAAAAodypaNS2phGkmL5Ionjtq1KAAAAAFQAUKgAGednpaHTGtlaJrWdbMQC0fQGd/mzSlShO9eCC5d4AG20tdmdJlQSaJn9Z25z6YgloAFDdYbeoAADfX59DToAAA0nRiAABL4nBM8y4aKXT6zC7RryLTAA6LxevMuT0gAAAAABzfv8WIdPBmlwxDJPBQ2MBopdG25ZFfMAAADU0vy/HroAUKgGTMVAAAAKlADYznro0AxomhtL2uTOnzoBQFQAChtIZBaPM
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898761",
"to_ids": false,
"type": "attachment",
"uuid": "5881c1c9-609c-4eea-aefe-4027950d210f",
"value": "G_DATA_spora_encryption_infographic_web_78175w894h615.jpg"
},
{
"category": "Payload delivery",
"comment": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe - Xchecked via VT: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898812",
"to_ids": true,
"type": "sha1",
"uuid": "5881c1fc-8464-4d81-9590-4f8602de0b81",
"value": "d3c89ccaf190890fc0583ea24396b1a2cd8317c4"
},
{
"category": "Payload delivery",
"comment": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe - Xchecked via VT: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898813",
"to_ids": true,
"type": "md5",
"uuid": "5881c1fd-a9c8-4edc-a4d6-4e7f02de0b81",
"value": "312445d2cca1cf82406af567596b9d8c"
},
{
"category": "External analysis",
"comment": "Win32.Worm.Spora.B - a277a133-ecde-c0f5-1591-ab36e22428bb.exe - 81063163ded.exe - Xchecked via VT: dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898814",
"to_ids": false,
"type": "link",
"uuid": "5881c1fe-5b2c-406e-a9c9-48ad02de0b81",
"value": "https://www.virustotal.com/file/dbfd24cd70f02ddea6de0a851c1ef0f45f18b4f70e6f3d0f2e2aec0d1b4a2cbf/analysis/1484855168/"
},
{
"category": "Payload delivery",
"comment": "Script.Trojan-Dropper.Spora.G - close.js - Xchecked via VT: e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898814",
"to_ids": true,
"type": "sha1",
"uuid": "5881c1fe-fe68-4c71-983c-441a02de0b81",
"value": "ae22308bd176a06f3522b8547bd7d9988e1b56fa"
},
{
"category": "Payload delivery",
"comment": "Script.Trojan-Dropper.Spora.G - close.js - Xchecked via VT: e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898815",
"to_ids": true,
"type": "md5",
"uuid": "5881c1ff-9ffc-43a4-96dd-446f02de0b81",
"value": "fc1b2bec47aaa059319f4a47cb37c5e2"
},
{
"category": "External analysis",
"comment": "Script.Trojan-Dropper.Spora.G - close.js - Xchecked via VT: e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898816",
"to_ids": false,
"type": "link",
"uuid": "5881c200-5668-4e6e-a169-441202de0b81",
"value": "https://www.virustotal.com/file/e2fe74d890ddb516b4f21a6588c6e0bdbf3dd6f8c5116d707d08db7ebddf505a/analysis/1484641209/"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898817",
"to_ids": true,
"type": "sha1",
"uuid": "5881c201-7fa8-44d8-aebd-4b4202de0b81",
"value": "0696d0a4d6fddf137733b867f0334902903e2a0e"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898817",
"to_ids": true,
"type": "md5",
"uuid": "5881c201-1fb8-4c0d-a85a-49be02de0b81",
"value": "37477dec05d8ae50aa5204559c81bde3"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484898818",
"to_ids": false,
"type": "link",
"uuid": "5881c202-c4bc-4470-974a-44a702de0b81",
"value": "https://www.virustotal.com/file/3fb2e50764dea9266ca8c20681a0e0bf60feaa34a52699cf2cf0c07d96a22553/analysis/1484819616/"
}
]
}
}