{"Event":{"info":"OSINT - A Closer Look at the Mamba Ransomware that Struck San Francisco Rail System","Tag":[{"colour":"#004646","exportable":true,"name":"type:OSINT"},{"colour":"#ffffff","exportable":true,"name":"tlp:white"},{"colour":"#2c4f00","exportable":true,"name":"malware_classification:malware-category=\"Ransomware\""}],"publish_timestamp":"0","timestamp":"1481108171","analysis":"2","Attribute":[{"comment":"","category":"External analysis","uuid":"5847e4bb-1600-49aa-9c85-42a7950d210f","timestamp":"1481106619","to_ids":false,"value":"http://blog.fortinet.com/2016/12/05/a-closer-look-at-the-mamba-ransomware-that-struck-san-francisco-rail-system","disable_correlation":false,"object_relation":null,"type":"link"},{"comment":"","category":"External analysis","uuid":"5847e4cb-3438-427b-a487-d9c5950d210f","timestamp":"1481106635","to_ids":false,"value":"Recently, the San Francisco Municipal Transportation Agency, also known as MUNI, was attacked by a new variant of Mamba (a.k.a HDDCryptor) \u2013 a disk-encypting ransomware. The incident left their ticketing services with inoperational systems and a note that read, \u201cYou Hacked,ALL Data Encrypted,Contact For Key(cryptom27@yandex.com)\u201d\r\n\r\nFortinet first discovered Mamba two months ago. Since then, it has been under the radar \u2013 until this big attack. We will now take a look at a few irregularities and some new developments it has employed over the past few months.","disable_correlation":false,"object_relation":null,"type":"comment"},{"comment":"","category":"Artifacts dropped","uuid":"5847e51a-5130-40ed-9c6c-d9c5950d210f","timestamp":"1481106737","to_ids":true,"value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DefragmentService","disable_correlation":false,"object_relation":null,"type":"regkey"},{"comment":"","category":"Artifacts dropped","uuid":"5847e51a-696c-415f-8bdb-d9c5950d210f","timestamp":"1481106737","to_ids":true,"value":"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dcrypt","disable_correlation":false,"object_relation":null,"type":"regkey"},{"comment":"","category":"Payload delivery","uuid":"5847e74e-77fc-464c-8660-d9c6950d210f","timestamp":"1481107278","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\dcrypt.sys","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e86f-e398-4fe6-a51e-ea04950d210f","timestamp":"1481107567","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\dcrypt.exe","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e86f-8ce8-4981-ac89-ea04950d210f","timestamp":"1481107567","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\dcinst.exe","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e86f-0b7c-4d8c-b0d7-ea04950d210f","timestamp":"1481107567","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\dccon.exe","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e870-be90-47b6-bbcb-ea04950d210f","timestamp":"1481107568","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\dcapi.dll","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e870-abd0-4e49-abf5-ea04950d210f","timestamp":"1481107568","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\netpass.exe","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e870-6414-4f2f-8172-ea04950d210f","timestamp":"1481107568","to_ids":true,"value":"%SystemRoot%\\Users\\WWW\\Mount.exe","disable_correlation":false,"object_relation":null,"type":"filename"},{"comment":"","category":"Payload delivery","uuid":"5847e870-02
