{"Event":{"info":"OSINT - Kelihos botnet delivering CryptFlle2 Ransomware with theme AmericanAirlines","Tag":[{"colour":"#004646","exportable":true,"name":"type:OSINT"},{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#2c4f00","exportable":true,"name":"malware_classification:malware-category=\"Ransomware\""},{"colour":"#006c6c","exportable":true,"name":"ecsirt:malicious-code=\"ransomware\""},{"colour":"#420053","exportable":true,"name":"ms-caro-malware:malware-type=\"Ransom\""}],"publish_timestamp":"1481029387","timestamp":"1481215602","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"5846b22d-e61c-4563-b63f-4ad1950d210f","timestamp":"1481028141","to_ids":false,"value":"http://garwarner.blogspot.lu/2016/08/american-airlines-spam-from-kelihos.html","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"5846b25a-f08c-4dff-8e92-418b950d210f","timestamp":"1481028186","to_ids":false,"value":"When we saw the Kelihos botnet delivering ransomware last month on July 8th, we sat up and took notice. The Kelihos botnet has a long history of delivering pharma spam and stock market manipulation spam (pump-n-dump), but now it was spamming the WildFire ransomware. ( See: http://garwarner.blogspot.com/2016/07/kelihos-botnet-delivering-dutch.html ) I was under the impression that it was one of the occasional gimmicks observed with Kelihos where they try something a single time and then move on. I assumed that some script kiddies were testing new ransomware techniques. Unfortunately, I was wrong and Kelihos hit back with CryptFIle2 encryption ransomware.","disable_correlation":false,"object_relation":null,"type":"comment"},{"comment":"","category":"Payload delivery","uuid":"5846b291-723c-4f42-beec-31ad950d210f","timestamp":"1481028241","to_ids":false,"value":"Bonus from AmericanAirlines","disable_correlation":false,"object_relation":null,"type":"email-subject"},{"comment":"","category":"Payload delivery","uuid":"5846b291-1d70-4e89-aa04-31ad950d210f","timestamp":"1481028241","to_ids":false,"value":"AmericanAirlines free 100$","disable_correlation":false,"object_relation":null,"type":"email-subject"},{"comment":"","category":"Payload delivery","uuid":"5846b291-417c-4d19-ab9a-31ad950d210f","timestamp":"1481028241","to_ids":false,"value":"AmericanAirlines discount","disable_correlation":false,"object_relation":null,"type":"email-subject"},{"comment":"","category":"Payload delivery","uuid":"5846b292-61dc-4db8-b5e4-31ad950d210f","timestamp":"1481028242","to_ids":false,"value":"Free fly with AmericanAirlines","disable_correlation":false,"object_relation":null,"type":"email-subject"},{"comment":"","category":"Network activity","uuid":"5846b34b-5314-4292-a7ff-4370950d210f","timestamp":"1481028427","to_ids":true,"value":"http://dataupllinks.top/nfdk/ticket1845.doc","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"","category":"Network activity","uuid":"5846b34b-d860-4263-82ff-47a5950d210f","timestamp":"1481028427","to_ids":true,"value":"http://ftp.dataupllinks.top/edsf/tick-873.doc","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"","category":"Network activity","uuid":"5846b34c-6e50-4082-af0e-4bc9950d210f","timestamp":"1481028428","to_ids":true,"value":"http://ftp.filesgigastor.top/23tf/disc_tick-235.doc","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"","category":"Network activity","uuid":"5846b34c-d918-477e-9688-4f72950d210f","timestamp":"1481028428","to_ids":true,"value":"http://www.webdataupllinks.net/rety/tick-834.doc","disable_correlation":false,"object_relation":null,"type":"url"},{"comment":"","category":"Payload delivery","uuid":"5846b399-f940-4a5d-932d-443e950d210f","timestamp":"1481028505","to_ids":true,"value
