{ "Event": { "analysis": "2", "date": "2016-02-17", "extends_uuid": "", "info": "OSINT - Dridex Actors Get In the Ransomware Game With \"Locky\"", "publish_timestamp": "1455725370", "published": true, "threat_level_id": "3", "timestamp": "1455720179", "uuid": "56c44d9a-a738-4a22-9306-058c950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455705639", "to_ids": false, "type": "link", "uuid": "56c44e27-8b0c-481f-9f2c-659e950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455705984", "to_ids": false, "type": "comment", "uuid": "56c44e47-c110-4aab-ad9b-659b950d210f", "value": "Proofpoint researchers have discovered a new ransomware named \"Locky\" being distributed via MS Word documents with malicious macros. While a variety of new ransomware has appeared since the end of 2015, Locky stands out because it is being delivered by the same actor behind many of the Dridex campaigns we have tracked over the last year." }, { "category": "Network activity", "comment": "Payment URIs (Locky asks user to click these links)", "deleted": false, "disable_correlation": false, "timestamp": "1455705727", "to_ids": true, "type": "url", "uuid": "56c44e7f-356c-4509-a371-42d5950d210f", "value": "http://6dtxgqam4crv6rr6.tor2web.org" }, { "category": "Network activity", "comment": "Payment URIs (Locky asks user to click these links)", "deleted": false, "disable_correlation": false, "timestamp": "1455705727", "to_ids": true, "type": "url", "uuid": "56c44e7f-c92c-4116-bed0-44e3950d210f", "value": "http://6dtxgqam4crv6rr6.onion.to" }, { "category": "Network activity", "comment": "Payment URIs (Locky asks user to click these links)", "deleted": false, "disable_correlation": false, "timestamp": "1455705727", "to_ids": true, "type": "url", "uuid": "56c44e7f-7424-4a58-b009-4a0b950d210f", "value": "http://6dtxgqam4crv6rr6.onion.cab" }, { "category": "Network activity", "comment": "Payment URIs (Locky asks user to click these links)", "deleted": false, "disable_correlation": false, "timestamp": "1455705728", "to_ids": true, "type": "url", "uuid": "56c44e80-4168-4412-883a-4373950d210f", "value": "http://6dtxgqam4crv6rr6.onion.link" }, { "category": "Network activity", "comment": "Payment URIs (Locky asks user to click these links)", "deleted": false, "disable_correlation": false, "timestamp": "1455705728", "to_ids": true, "type": "url", "uuid": "56c44e80-6c6c-46db-bdf2-4377950d210f", "value": "https://6dtxgqam4crv6rr6.onion" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705800", "to_ids": true, "type": "url", "uuid": "56c44ec8-ddf0-4c29-b765-42bc950d210f", "value": "http://109.234.38.35/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705800", "to_ids": true, "type": "url", "uuid": "56c44ec8-2100-442b-9b8a-44e1950d210f", "value": "http://lneqqkvxxogomu.eu/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705800", "to_ids": true, "type": "url", "uuid": "56c44ec8-60b4-4512-af9e-4771950d210f", "value": "http://qpdar.pw/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705801", "to_ids": true, "type": "url", "uuid": "56c44ec9-245c-4ef1-9ebb-4cb8950d210f", "value": "http://ydbayd.de/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705801", "to_ids": true, "type": "url", "uuid": "56c44ec9-bc18-4f00-be97-4f40950d210f", "value": "http://ssojravpf.be/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705801", "to_ids": true, "type": "url", "uuid": "56c44ec9-d334-4804-b8aa-4780950d210f", "value": "http://gioaqjklhoxf.eu/main.php" }, { "category": "Network activity", "comment": "Locky C2", "deleted": false, "disable_correlation": false, "timestamp": "1455705802", "to_ids": true, "type": "url", "uuid": "56c44eca-a00c-462a-9c72-469a950d210f", "value": "http://txlmnqnunppnpuq.ru/main.php" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705837", "to_ids": true, "type": "url", "uuid": "56c44eed-24dc-4e71-8a5d-4167950d210f", "value": "http://www.iglobali.com/34gf5y/r34f3345g.exe" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705837", "to_ids": true, "type": "url", "uuid": "56c44eed-6f04-498d-89ad-4371950d210f", "value": "http://www.southlife.church/34gf5y/r34f3345g.exe" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705838", "to_ids": true, "type": "url", "uuid": "56c44eee-6b80-412d-b219-4781950d210f", "value": "http://www.villaggio.airwave.at/34gf5y/r34f3345g.exe" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705838", "to_ids": true, "type": "url", "uuid": "56c44eee-d6e4-4edc-a889-459a950d210f", "value": "http://www.jesusdenazaret.com.ve/34gf5y/r34f3345g.exe" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705838", "to_ids": true, "type": "url", "uuid": "56c44eee-07f4-452b-b63e-4091950d210f", "value": "http://66.133.129.5/~chuckgilbert/09u8h76f/65fg67n" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705839", "to_ids": true, "type": "url", "uuid": "56c44eef-8e00-4b72-8271-49ee950d210f", "value": "http://173.214.183.81/~tomorrowhope/09u8h76f/65fg67n" }, { "category": "Network activity", "comment": "Payloads downloaded by macro", "deleted": false, "disable_correlation": false, "timestamp": "1455705839", "to_ids": true, "type": "url", "uuid": "56c44eef-b904-4b5e-ac3d-4827950d210f", "value": "http://iynus.net/~test/09u8h76f/65fg67n" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455720179", "to_ids": true, "type": "regkey", "uuid": "56c44f11-3b1c-410d-9ab2-4d31950d210f", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Locky" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455720178", "to_ids": true, "type": "regkey", "uuid": "56c44f11-56b4-4280-a544-470e950d210f", "value": "HKCU\\Software\\Locky\\id" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455720178", "to_ids": true, "type": "regkey", "uuid": "56c44f11-960c-40ea-b988-4a98950d210f", "value": "HKCU\\Software\\Locky\\pubkey" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1455720178", "to_ids": true, "type": "regkey", "uuid": "56c44f12-8278-4076-b08d-4c22950d210f", "value": "HKCU\\Software\\Locky\\paytext" }, { "category": "Network activity", "comment": "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf", "deleted": false, "disable_correlation": false, "timestamp": "1455705990", "to_ids": true, "type": "domain", "uuid": "56c44f6a-4084-4283-8701-659d950d210f", "value": "vkrdbsrqpi.de" }, { "category": "Network activity", "comment": "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf", "deleted": false, "disable_correlation": false, "timestamp": "1455705963", "to_ids": true, "type": "domain", "uuid": "56c44f6b-de78-4b97-b34e-659d950d210f", "value": "jaomjlyvwxgdt.fr" }, { "category": "Network activity", "comment": "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf", "deleted": false, "disable_correlation": false, "timestamp": "1455705963", "to_ids": true, "type": "domain", "uuid": "56c44f6b-5f08-4d9f-b024-659d950d210f", "value": "wpogw.it" }, { "category": "Network activity", "comment": "Locky also appears to generate DGA traffic for command and control (the list of domains below were unregistered at the time of investigation) - See more at: https://www.proofpoint.com/us/threat-insight/post/Dridex-Actors-Get-In-the-Ransomware-Game-With-Locky#sthash.MoLx2rvu.dpuf", "deleted": false, "disable_correlation": false, "timestamp": "1455705963", "to_ids": true, "type": "domain", "uuid": "56c44f6b-176c-49ba-8548-659d950d210f", "value": "ofhhoowfmnuihyd.ru" } ] } }