{ "Event": { "analysis": "2", "date": "2016-04-20", "extends_uuid": "", "info": "OSINT - Your Package Has Been Successfully Encrypted: TeslaCrypt 4.1A and the Malware Attack Chain", "publish_timestamp": "1461252169", "published": true, "threat_level_id": "3", "timestamp": "1461251927", "uuid": "57189d1b-e90c-4d93-8383-41d8950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461230904", "to_ids": false, "type": "comment", "uuid": "57189d38-d0dc-4f17-beef-4b07950d210f", "value": "Ransomware quickly gained national headlines in February after the Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoins to regain access to its systems. Since then, other hospitals have similarly been attacked with ransomware, leading some industry experts to proclaim it an industry-specific crisis. Although it is commonly associated with directed campaigns aimed at high-value targets such as hospitals, ransomware is actually becoming less targeted and more omnidirectional. As our latest research on TeslaCrypt demonstrates, ransomware not only is becoming more widespread, but it is also becoming more sophisticated and adaptable. TeslaCrypt 4.1A is only a week old and contains an even greater variety of stealth and obfuscation techniques than its previous variants, the earliest of which is just over a year old. Organizations and individuals alike must be aware ransomware is equally likely to be found in personal networks as in critical infrastructure networks, and that its rapid transformation and growing sophistication presents significant challenges to the security community and significant threats to users of all kinds." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461230918", "to_ids": false, "type": "link", "uuid": "57189d46-1b44-4f9c-a406-4eb1950d210f", "value": "https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461231027", "to_ids": true, "type": "filename|sha256", "uuid": "57189db3-03d4-4938-9994-43ef950d210f", "value": "80.exe|8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461231028", "to_ids": true, "type": "filename|sha256", "uuid": "57189db4-b1c4-454e-8c9c-4fd9950d210f", "value": "transaction_wcVSdU.js|e2dcee410447911bb3bb7fa5731e06adcfe123fa09f43333dbffb9cca26c7163" }, { "category": "Payload delivery", "comment": "TeslaCrypt payload", "deleted": false, "disable_correlation": false, "timestamp": "1461231317", "to_ids": true, "type": "md5", "uuid": "57189ed5-5efc-4daa-84e3-4abb950d210f", "value": "6bfa1c01c3af6206a189b975178965fe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233331", "to_ids": true, "type": "url", "uuid": "5718a6b3-31c4-4041-a039-4111950d210f", "value": "loseweightwithmysite.com/sys_info.php" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233331", "to_ids": true, "type": "url", "uuid": "5718a6b3-873c-4697-aa0e-493d950d210f", "value": "greetingsyoungqq.com/80.exe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233332", "to_ids": true, "type": "url", "uuid": "5718a6b4-56bc-460a-90ac-4f34950d210f", "value": "helcel.com/sys_init.php" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233332", "to_ids": true, "type": "url", "uuid": "5718a6b4-f41c-4d92-8189-4d2f950d210f", "value": "thinktrimbebeautiful.com.au/sys_init.php" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233332", "to_ids": true, "type": "url", "uuid": "5718a6b4-8678-4648-aa94-4f9a950d210f", "value": "lorangeriedelareine.fr/sys_init.php" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233333", "to_ids": true, "type": "url", "uuid": "5718a6b5-bf30-4316-9f6a-4c50950d210f", "value": "bluedreambd.com/inifile.php" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461233333", "to_ids": true, "type": "url", "uuid": "5718a6b5-a4d8-4474-8d0d-49fe950d210f", "value": "onguso.com/inifile.php" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233423", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a70f-5358-41d7-811e-4c10950d210f", "value": "2015-07-25" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233482", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a726-2e84-44a1-976e-429f950d210f", "value": "2016-04-11" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233470", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a73e-4be0-4507-a56d-4a7c950d210f", "value": "2015-09-01" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233503", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a75f-a6b8-468c-ba63-4926950d210f", "value": "2012-07-05" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233639", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a7e7-6190-4ae1-8f88-4133950d210f", "value": "2015-08-21" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233657", "to_ids": false, "type": "whois-creation-date", "uuid": "5718a7f9-9ee0-4907-af67-4094950d210f", "value": "2016-03-17" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233712", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a830-b170-4aee-a070-4a48950d210f", "value": "whois@hostmonster.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233727", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a83f-9834-4f5e-90de-41c5950d210f", "value": "abuse@hostmonster.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233797", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5718a885-ca6c-4558-86d2-44be950d210f", "value": "0018014948462" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233812", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718a894-a310-4d77-b40f-4187950d210f", "value": "DOMAIN PRIVACY SERVICE FBO REGISTRANT" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233828", "to_ids": false, "type": "whois-registrar", "uuid": "5718a8a4-7cc4-4054-8adc-4c48950d210f", "value": "FastDomain Inc." }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233859", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a8c3-6a78-4bdb-9225-48b3950d210f", "value": "99be7643aba6f315e9e3e062eaeb8ce3184804530203dd7b822bb45f1d55c69d@greetingsyoungqq.com.whoisproxy.org" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233873", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5718a8d1-b3b8-4abf-a0f7-492f950d210f", "value": "006448319528" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233888", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718a8e0-ce08-4df8-9f78-4881950d210f", "value": "On behalf of greetingsyoungqq.com OWNER" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233904", "to_ids": false, "type": "whois-registrar", "uuid": "5718a8f0-ca34-47ae-a3ba-453f950d210f", "value": "Key-Systems GmbH" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233962", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a92a-ca24-4be0-af31-4681950d210f", "value": "helcel.com@contactprivacy.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461233992", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a948-5498-4c14-b324-42b2950d210f", "value": "registrars@ecommerce.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234031", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5718a96f-b9ec-4609-af74-4192950d210f", "value": "0014165385457" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234048", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718a980-0264-4691-83bb-4ae7950d210f", "value": "Contact Privacy Inc. Customer 0141203229" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234059", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718a98b-1c50-4c87-91a5-4fde950d210f", "value": "Private Registrant" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234070", "to_ids": false, "type": "whois-registrar", "uuid": "5718a996-1b18-4796-9b04-4303950d210f", "value": "TUCOWS, INC." }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234108", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a9bc-91f4-4f97-a599-4fd7950d210f", "value": "dougmccoy@hotmail.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234123", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718a9cb-e8f0-4152-b90d-4075950d210f", "value": "domains@crazydomains.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234136", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718a9d8-7108-450b-a5a6-4fd1950d210f", "value": "DOUGLAS MCCOY" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461234150", "to_ids": false, "type": "whois-registrar", "uuid": "5718a9e6-234c-417f-8c61-4a37950d210f", "value": "CRAZY DOMAINS FZ-LLC" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237732", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718b7e4-b3d4-47b1-a07c-4c0b950d210f", "value": "hebergement@online.net" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237749", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718b7f5-90f4-410d-b3df-4be7950d210f", "value": "odysseeconsultin.957595@spamfree.bookmyname.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237762", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718b802-6c30-4db5-ac12-4751950d210f", "value": "hostmaster@proxad.net" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237775", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718b80f-861c-463f-b8a0-45b5950d210f", "value": "ODYSSEE CONSULTING" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237821", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718b83d-6ccc-4836-a98c-44c6950d210f", "value": "raselnu86@gmail.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237833", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5718b849-e6f0-4e32-bc12-4d90950d210f", "value": "0088001932403451" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237846", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718b856-d3d0-435f-baad-4db1950d210f", "value": "Md. Shohag chowdhury" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237864", "to_ids": false, "type": "whois-registrar", "uuid": "5718b868-71e4-48bc-9cbf-4472950d210f", "value": "PDR Ltd. d/b/a PublicDomainRegistry.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237887", "to_ids": false, "type": "whois-registrant-email", "uuid": "5718b87f-34f0-4432-88c0-4254950d210f", "value": "lllcpxjqm@whoisprivacyprotect.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237900", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5718b88c-6714-4eb4-a050-4d12950d210f", "value": "0014252740657" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237919", "to_ids": false, "type": "whois-registrant-name", "uuid": "5718b89f-8270-4459-b56c-40fd950d210f", "value": "WHOIS AGENT" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461237935", "to_ids": false, "type": "whois-registrar", "uuid": "5718b8af-0db0-4fbe-9dae-48c1950d210f", "value": "ENOM, INC." }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e2dcee410447911bb3bb7fa5731e06adcfe123fa09f43333dbffb9cca26c7163", "deleted": false, "disable_correlation": false, "timestamp": "1461251927", "to_ids": true, "type": "sha1", "uuid": "5718ef57-26c0-4be6-842a-401f02de0b81", "value": "35ef669b60f566e488dfb8b4487f5b074b7fc599" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e2dcee410447911bb3bb7fa5731e06adcfe123fa09f43333dbffb9cca26c7163", "deleted": false, "disable_correlation": false, "timestamp": "1461251927", "to_ids": true, "type": "md5", "uuid": "5718ef57-9958-4cbc-a2a2-4ae902de0b81", "value": "0eec3406dfb374a7df4c2bb856db1625" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461251927", "to_ids": false, "type": "link", "uuid": "5718ef57-522c-42f2-a266-4a3f02de0b81", "value": "https://www.virustotal.com/file/e2dcee410447911bb3bb7fa5731e06adcfe123fa09f43333dbffb9cca26c7163/analysis/1461249074/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071", "deleted": false, "disable_correlation": false, "timestamp": "1461251928", "to_ids": true, "type": "sha1", "uuid": "5718ef58-7f00-469e-bd9b-463402de0b81", "value": "260dd322089862a5400a00dbcb35774b66ce2d47" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461251928", "to_ids": false, "type": "link", "uuid": "5718ef58-8bf0-4721-be56-4e0502de0b81", "value": "https://www.virustotal.com/file/8184432307b0f546d168e3e386a20999f5b0de0bd4085753bb2b09cfc7fec071/analysis/1461168082/" } ] } }