2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2016-06-27" ,
"extends_uuid" : "" ,
"info" : "OSINT - Doh! New \"Bart\" Ransomware from Threat Actors Spreading Dridex and Locky" ,
"publish_timestamp" : "1467020623" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1467020458" ,
"uuid" : "5770f374-7cc4-40d6-9d1f-46f8950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#3a7300" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "circl:incident-classification=\"malware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#2c4f00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#006c6c" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ecsirt:malicious-code=\"ransomware\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020172" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5770f38c-1824-4bb7-b138-461a950d210f" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020191" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "5770f39f-083c-402d-983a-443e950d210f" ,
"value" : "Overview\r\n\r\nThe actors behind Dridex 220 and Locky Affid=3 have introduced a new ransomware called \u00e2\u20ac\u0153Bart\u00e2\u20ac\u009d. They are using the RockLoader malware to download Bart over HTTPS. Bart has a payment screen like Locky but encrypts files without first connecting to a command and control (C&C) server.\r\n\r\nAnalysis\r\n\r\nOn June 24, Proofpoint researchers detected a large campaign with .zip attachments containing JavaScript code. If opened, these attachments download and install the intermediary loader RockLoader (previously discovered by Proofpoint and used with Locky), which in turn downloads the new ransomware called \u00e2\u20ac\u0153Bart\u00e2\u20ac\u009d. The messages in this campaign had the subjects \"Photos\u00e2\u20ac\u009d with the attachment \"photos.zip\", \"image.zip\", \"Photos.zip\", \"photo.zip\", \"Photo.zip\", or \"picture.zip.\" The zip files contained JavaScript file such as \"PDF_123456789.js.\""
} ,
{
"category" : "Payload delivery" ,
"comment" : "Photos.zip email attachment" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020259" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5770f3e3-9a60-40d1-b67d-46fe950d210f" ,
"value" : "247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Imported via the Freetext Import Tool" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020260" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5770f3e4-5d3c-49b9-9751-44de950d210f" ,
"value" : "Photos.zip"
} ,
{
"category" : "Payload delivery" ,
"comment" : "FILE 21076073.js file inside Photos.zip" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020260" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5770f3e4-89ec-4e84-8a65-49b6950d210f" ,
"value" : "7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "RockLoader" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020261" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5770f3e5-747c-4544-8ef5-4cbf950d210f" ,
"value" : "5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "6kuTU1.exe (Bart ransomware)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020261" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5770f3e5-3fd8-46d0-8db2-4062950d210f" ,
"value" : "51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705"
} ,
{
"category" : "Network activity" ,
"comment" : "JavaScript Payload (RockLoader)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020282" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5770f3fa-9888-452b-99ca-4afc950d210f" ,
"value" : "http://camera-test.hi2.ro/89ug6b7ui?voQeTqDw=RUYEzU"
} ,
{
"category" : "Network activity" ,
"comment" : "Rockloader C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020332" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5770f42c-7760-4e9b-bd75-3123950d210f" ,
"value" : "https://summerr554fox.su/api/"
} ,
{
"category" : "Network activity" ,
"comment" : "RockLoader Payload" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020333" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5770f42d-90cc-4a11-a948-3123950d210f" ,
"value" : "https://summerr554fox.su/files/6kuTU1.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "6kuTU1.exe (Bart ransomware) - Xchecked via VT: 51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020458" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5770f4aa-bc0c-4416-9044-42e102de0b81" ,
"value" : "158137d4835f7596ad0ef2a191d0e0d8976f0089"
} ,
{
"category" : "Payload delivery" ,
"comment" : "6kuTU1.exe (Bart ransomware) - Xchecked via VT: 51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020459" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5770f4ab-4e1c-42ff-a419-4ea802de0b81" ,
"value" : "65535f2b1ecee54718233e40e3f333b2"
} ,
{
"category" : "External analysis" ,
"comment" : "6kuTU1.exe (Bart ransomware) - Xchecked via VT: 51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020459" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5770f4ab-8ff4-4327-8fac-4ff002de0b81" ,
"value" : "https://www.virustotal.com/file/51ff4a033018d9343049305061dcde77cb5f26f5ec48d1be42669f368b1f5705/analysis/1466936803/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "RockLoader - Xchecked via VT: 5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020460" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5770f4ac-c42c-4a7e-bd79-4b3402de0b81" ,
"value" : "960ec30ad5e94a35991a30b36411a4144b97b0d3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "RockLoader - Xchecked via VT: 5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020460" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5770f4ac-3c28-4572-b1f0-44e702de0b81" ,
"value" : "846171e2629b712429a903811d19c12b"
} ,
{
"category" : "External analysis" ,
"comment" : "RockLoader - Xchecked via VT: 5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020461" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5770f4ad-d7e0-4ed6-a52f-426502de0b81" ,
"value" : "https://www.virustotal.com/file/5d3e7c31f786bbdc149df632253fd538fb21cfc0aa364d0f03a79671bbaec62d/analysis/1466991759/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "FILE 21076073.js file inside Photos.zip - Xchecked via VT: 7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020461" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5770f4ad-1500-4ca1-a628-4c5902de0b81" ,
"value" : "387e6c2936af749d34690a8090127d75eb0970ea"
} ,
{
"category" : "Payload delivery" ,
"comment" : "FILE 21076073.js file inside Photos.zip - Xchecked via VT: 7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020461" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5770f4ad-0968-41cc-80ee-404802de0b81" ,
"value" : "2808adab51f43b747ce61034a96ab9de"
} ,
{
"category" : "External analysis" ,
"comment" : "FILE 21076073.js file inside Photos.zip - Xchecked via VT: 7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020462" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5770f4ae-7678-403c-9b07-4bb102de0b81" ,
"value" : "https://www.virustotal.com/file/7bb1e8e039d222a51a71599af75b56151a878cf8bbe1f9d3ad5be18200b2286b/analysis/1467016185/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Photos.zip email attachment - Xchecked via VT: 247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020462" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5770f4ae-d228-48f7-b9f8-402002de0b81" ,
"value" : "929b26eb040c5976af32be4f19e059d016df2273"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Photos.zip email attachment - Xchecked via VT: 247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020463" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5770f4af-ed3c-4a99-8a7b-4e8902de0b81" ,
"value" : "c9c69655db4a45686f9dcef0108b49b5"
} ,
{
"category" : "External analysis" ,
"comment" : "Photos.zip email attachment - Xchecked via VT: 247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1467020463" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5770f4af-9f58-4ffe-a278-4cdc02de0b81" ,
"value" : "https://www.virustotal.com/file/247e2c07e57030607de901a461719ae2bb2ac27a90623ea5fd69f7f036c4ea0d/analysis/1467017028/"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}
