{ "Event": { "analysis": "2", "date": "2016-03-25", "extends_uuid": "", "info": "OSINT - SURGE IN SPAM CAMPAIGN DELIVERING LOCKY RANSOMWARE DOWNLOADERS", "publish_timestamp": "1458932887", "published": true, "threat_level_id": "3", "timestamp": "1458932871", "uuid": "56f58bcc-96e4-49d2-bc8b-faf7950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458932721", "to_ids": false, "type": "link", "uuid": "56f58bf1-3870-4b38-b851-faf0950d210f", "value": "https://www.fireeye.com/blog/threat-research/2016/03/surge_in_spam_campai.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458932741", "to_ids": false, "type": "comment", "uuid": "56f58c05-770c-4455-9aaa-46d2950d210f", "value": "FireEye Labs is detecting a significant spike in Locky ransomware downloaders due to a pair of concurrent email spam campaigns impacting users in over 50 countries. Some of the top affected countries are depicted in Figure 1." }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1458932760", "to_ids": true, "type": "ip-dst", "uuid": "56f58c18-9e90-4c3c-8985-faf7950d210f", "value": "188.138.88.184" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1458932761", "to_ids": true, "type": "ip-dst", "uuid": "56f58c19-5bf8-4657-b19b-faf7950d210f", "value": "31.41.47.37" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1458932761", "to_ids": true, "type": "ip-dst", "uuid": "56f58c19-5dd4-4fc0-ac9d-faf7950d210f", "value": "5.34.183.136" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1458932761", "to_ids": true, "type": "ip-dst", "uuid": "56f58c19-bd84-4fee-a4d8-faf7950d210f", "value": "91.121.97.170" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458932795", "to_ids": true, "type": "md5", "uuid": "56f58c3b-4968-4f48-9cbf-faf1950d210f", "value": "3f118d0b888430ab9f58fc2589207988" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458932828", "to_ids": true, "type": "regkey|value", "uuid": "56f58c5c-e06c-4aab-9e08-faee950d210f", "value": "HKCU\\Control Panel\\Desktop\\Wallpaper|%CSIDL_DESKTOPDIRECTORY%\\_Locky_recover_instructions.bmp" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988", "deleted": false, "disable_correlation": false, "timestamp": "1458932871", "to_ids": true, "type": "sha256", "uuid": "56f58c87-0e18-4b86-96be-4fc502de0b81", "value": "f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 3f118d0b888430ab9f58fc2589207988", "deleted": false, "disable_correlation": false, "timestamp": "1458932872", "to_ids": true, "type": "sha1", "uuid": "56f58c88-2e54-4f15-87dc-43f802de0b81", "value": "1231e4a00c3da3ae8001a0620bae1242ef95d095" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1458932872", "to_ids": false, "type": "link", "uuid": "56f58c88-b490-4c7f-ae54-469c02de0b81", "value": "https://www.virustotal.com/file/f927efd7cd2da3a052d857632f78ccf04b673e2774f6ce9a075e654dfd77d940/analysis/1458838562/" } ] } }