169 lines
5.1 KiB
JSON
169 lines
5.1 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2018-04-10",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Maktub ransomware: possibly rebranded as Iron",
|
||
|
"publish_timestamp": "1525369142",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1525369091",
|
||
|
"uuid": "5add984c-c0f0-41b0-8ff0-4f6d950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#2c4f00",
|
||
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:ransomware=\"MaktubLocker\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271745",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5add9863-d254-4801-8bdb-450a950d210f",
|
||
|
"value": "https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271745",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5add9996-2390-47f3-977f-4d52950d210f",
|
||
|
"value": "t is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example.\r\n\r\nWe know the Iron ransomware has mimicked at least three ransomware families:\r\n\r\n Maktub (payment portal design)\r\n DMA Locker (Iron Unlocker, decryption tool)\r\n Satan (exclusion list)",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271745",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "5add9d5d-023c-4570-af2c-483d950d210f",
|
||
|
"value": "recoverfile@mail2tor.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271745",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5add9d5e-04e8-4270-b81c-4c29950d210f",
|
||
|
"value": "!HELP_YOUR_FILES.HTML"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271746",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5adda3de-ecd4-4318-8703-4692950d210f",
|
||
|
"value": "http://y5mogzal2w25p6bn.ml"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271746",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "5adda3fa-cc40-4e61-a1ee-4e32950d210f",
|
||
|
"value": "oldblackjack@outlook.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Persistence mechanism",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1525271747",
|
||
|
"to_ids": false,
|
||
|
"type": "regkey",
|
||
|
"uuid": "5adda3fb-a844-4dc0-814c-4fae950d210f",
|
||
|
"value": "HKCU\\Software\\CryptoA:"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An address used in a cryptocurrency",
|
||
|
"meta-category": "financial",
|
||
|
"name": "coin-address",
|
||
|
"template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1524473152",
|
||
|
"uuid": "5add9d40-8f68-4a08-874a-4872950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Financial fraud",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "address",
|
||
|
"timestamp": "1524473152",
|
||
|
"to_ids": true,
|
||
|
"type": "btc",
|
||
|
"uuid": "5add9d40-827c-445a-a400-4438950d210f",
|
||
|
"value": "1cimKyzS64PRNEiG89iFU3qzckVuEQuUj"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "symbol",
|
||
|
"timestamp": "1524473153",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5add9d41-2808-4b5c-a7d9-4ef2950d210f",
|
||
|
"value": "BTC"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|