298 lines
11 KiB
JSON
298 lines
11 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-06-27",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - New Variant of Petya Ransomware Spreading Like Wildfire",
|
||
|
"publish_timestamp": "1498600065",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1498600020",
|
||
|
"uuid": "5952d18c-b4f4-4a20-8373-443802de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:ransomware=\"Petya\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#2c4f00",
|
||
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5952d1a1-f610-4914-8313-49f002de0b81",
|
||
|
"value": "The world woke up today to another ransomware outbreak wreaking havoc throughout companies\u00e2\u20ac\u2122 networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer\u00e2\u20ac\u2122s master boot record (MBR), rendering the machine unusable.\r\n\r\nRansomware Petya has been around since at least March 2016 and differs from usual ransomware families because it encrypts a system\u00e2\u20ac\u2122s MBR in addition to encrypting files. This double stroke renders the disk inaccessible and prevents most users from recovering anything on it.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d1ac-da30-4335-80af-4fdc02de0b81",
|
||
|
"value": "https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5952d20a-9b1c-49f5-972c-141a02de0b81",
|
||
|
"value": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5952d20a-e770-4ca3-8e95-141a02de0b81",
|
||
|
"value": "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "signed PSEXEC.EXE",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5952d20a-b3b4-43e4-be35-141a02de0b81",
|
||
|
"value": "f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "64-bit EXE",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5952d20a-f2b8-43e2-8b5a-141a02de0b81",
|
||
|
"value": "02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "32-bit EXE",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5952d20a-2520-413c-b3b9-141a02de0b81",
|
||
|
"value": "eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "named pipe",
|
||
|
"uuid": "5952d219-c354-4c93-9800-400502de0b81",
|
||
|
"value": "{df458642-df8b-4131-b02d-32064a2f4c19}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "32-bit EXE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5952d254-8b54-4519-ad69-416602de0b81",
|
||
|
"value": "56c03d8e43f50568741704aee482704a4f5005ad"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "32-bit EXE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5952d254-86f4-47bc-ad96-438802de0b81",
|
||
|
"value": "2813d34f6197eb4df42c886ec7f234a1"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "32-bit EXE - Xchecked via VT: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d254-58a4-4fb0-ae26-484402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/1498596287/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "64-bit EXE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5952d254-9904-40f3-95c0-4bb802de0b81",
|
||
|
"value": "38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "64-bit EXE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5952d254-84c4-4db6-ac28-49e302de0b81",
|
||
|
"value": "7e37ab34ecdcc3e77e24522ddfd4852d"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "64-bit EXE - Xchecked via VT: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d254-91b8-46c6-8a08-462902de0b81",
|
||
|
"value": "https://www.virustotal.com/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/1498597930/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "signed PSEXEC.EXE - Xchecked via VT: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5952d254-4f84-46e8-8619-434502de0b81",
|
||
|
"value": "cd23b7c9e0edef184930bc8e0ca2264f0608bcb3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "signed PSEXEC.EXE - Xchecked via VT: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5952d254-8b7c-49b8-ac85-411102de0b81",
|
||
|
"value": "aeee996fd3484f28e5cd85fe26b6bdcd"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "signed PSEXEC.EXE - Xchecked via VT: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d254-2f78-496e-aefd-460702de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5/analysis/1498597584/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5952d254-a9a8-4eff-a686-44b602de0b81",
|
||
|
"value": "9717cfdc2d023812dbc84a941674eb23a2a8ef06"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5952d254-ef40-46cf-b4ba-466c02de0b81",
|
||
|
"value": "e285b6ce047015943e685e6638bd837e"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d254-17cc-4dec-b486-46ff02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1/analysis/1498597050/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5952d254-79e8-43f4-b462-43be02de0b81",
|
||
|
"value": "34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5952d254-92d4-46b0-813a-458c02de0b81",
|
||
|
"value": "71b6a493388e7d0b40c83ce903bc6b04"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "main 32-bit DLL - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1498600020",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5952d254-4950-46bb-a9bf-4b7602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1498599850/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|