{ "Event": { "analysis": "2", "date": "2017-02-07", "extends_uuid": "", "info": "Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment", "publish_timestamp": "1486712925", "published": true, "threat_level_id": "3", "timestamp": "1486712914", "uuid": "589b1a8a-1e10-4e76-860a-4cba950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#006c6c", "local": false, "name": "ecsirt:malicious-code=\"ransomware\"", "relationship_type": "" }, { "colour": "#00acd1", "local": false, "name": "veris:action:malware:variety=\"Ransomware\"", "relationship_type": "" }, { "colour": "#39b300", "local": false, "name": "enisa:nefarious-activity-abuse=\"ransomware\"", "relationship_type": "" }, { "colour": "#000000", "local": false, "name": "dnc:malware-type=\"Ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": false, "type": "link", "uuid": "589b1aad-8768-4196-a952-48ec950d210f", "value": "https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/", "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": false, "type": "comment", "uuid": "589b1ae1-8ea8-4f2f-a702-439d950d210f", "value": "A sample of a potentially new ransomware called Erebus has been discovered by MalwareHunterTeam on VirusTotal. I say that this is a potentially new ransomware because TrendMicro had reported another ransomware using the same name was previously released back in September 2016. Though I do not have a sample of the original Erebus, from its outward characteristics, the one discovered today looks like either a complete rewrite or a new ransomware using the same name..", "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4a-3178-4814-9c07-480a950d210f", "value": "HKEY_CLASSES_ROOT.msc" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4b-3bb0-426a-a692-40a3950d210f", "value": "HKCU\\Software\\Classes\\mscfile" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4c-6378-410a-a1f1-42cd950d210f", "value": "HKCU\\Software\\Classes\\mscfile\\shell" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4d-ea20-47d8-8c30-4812950d210f", "value": "HKCU\\Software\\Classes\\mscfile\\shell\\open" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4d-ff80-4c1d-bed3-440a950d210f", "value": "HKCU\\Software\\Classes\\mscfile\\shell\\open\\command" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "regkey", "uuid": "589b1b4e-8518-4c9e-ae53-49ab950d210f", "value": "HKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\ %UserProfile%\\[random].exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d73-8c78-4bab-9438-4b7f950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d75-2204-45ce-86ea-4f70950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d77-d5dc-4c7b-93df-4d66950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d77-b140-49f4-901e-4763950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\geoip" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d79-fbc4-4600-9f45-4d55950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Data\\Tor\\geoip6" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d7a-a8fc-4d0e-b0e9-4974950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d7b-29cc-47f9-9524-4258950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libeay32.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d7d-2da0-40cc-b997-4b4f950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent-2-0-5.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d7e-8c68-47e6-8bc2-4df9950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent_core-2-0-5.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d7f-30fc-425c-b5c8-489f950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libevent_extra-2-0-5.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d81-c620-4c3c-880b-4c58950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libgcc_s_sjlj-1.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d82-46ec-431a-8b78-4f53950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\libssp-0.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d83-bb94-4ea8-abfb-4a42950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\ssleay32.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d83-c664-4696-b610-4d9e950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\tor-gencert.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d85-349c-45e5-8784-4a8e950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\tor.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d86-a4e8-4ec6-84a3-4dad950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor\\Tor\\zlib1.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d87-c6bc-4a04-960c-4223950d210f", "value": "%UserProfile%\\AppData\\Local\\Temp\\tor.zip" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d89-6708-44c9-a4be-4236950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d89-bbdc-4c8c-be68-4902950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-certs" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d8b-e95c-43c2-8931-45f7950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdesc-consensus" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d8c-7ed4-43c0-954b-408f950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdescs.new" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d8d-5728-467a-aab7-4903950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\lock" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d8f-a378-4f2d-9c37-4c29950d210f", "value": "%UserProfile%\\AppData\\Roaming\\tor\\state" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d90-0940-421f-b1fe-4839950d210f", "value": "%UserProfile%\\Desktop\\test\\xor-test.pdf" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d91-703c-4383-8aa5-4771950d210f", "value": "%UserProfile%\\Desktop\\README.html" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d97-6d60-4d40-a35d-42e0950d210f", "value": "%UserProfile%\\Documents\\README.html" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "filename", "uuid": "589b1d98-f3dc-4ed6-a088-4d9a950d210f", "value": "%UserProfile%\\[random].exe" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "url", "uuid": "589b1de4-c14c-483a-b435-4f92950d210f", "value": "http://erebus5743lnq6db.onion/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": true, "type": "sha256", "uuid": "589b1dfc-f4d8-4733-a045-45ed950d210f", "value": "ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": false, "type": "text", "uuid": "589b2243-c398-4060-8b34-49b8950d210f", "value": "Files crypted!\r\nEvery important file on this computer was crypted. Please look on your documents or desktop folder for a file called README.html for instructions on how to decrypt them." }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1486626261", "to_ids": false, "type": "text", "uuid": "589b225d-ae00-4143-acdb-44d3950d210f", "value": "Data crypted\r\n\r\nEvery important file (documents,photos,videos etc) on this computer has been encrypted using an unique key for this computer. \r\nIt is impossible to recover your files without this key. You can try to open them they won't work and will stay that way. \r\n\r\nThat is, unless you buy a decryption key and decrypt your files.\r\nClick 'recover my files' below to go to the website allowing you to buy the key. \r\nFrom now on you have 96 hours to recover the key after this time it will be deleted and your files will stay unusable forever \r\nYour id is : '[id]' you can find this page on your desktop and document folder Use it to \r\n\r\nif the button below doesn't work you need to download a web browser called 'tor browser' \r\ndownload by clicking here then install the browser, it's like chrome, firefox or internet explorer except it allows you to browse to special websites. \r\nonce it's launched browse to http://erebus5743lnq6db.onion" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791", "deleted": false, "disable_correlation": false, "timestamp": "1486626277", "to_ids": true, "type": "sha1", "uuid": "589c1de5-25a0-4e89-90c7-442602de0b81", "value": "6e5fca51a018272d1b1003b16dce6ee9e836908c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791", "deleted": false, "disable_correlation": false, "timestamp": "1486626277", "to_ids": true, "type": "md5", "uuid": "589c1de5-4bc4-4beb-9de3-4f7d02de0b81", "value": "0ced87772881b63caf95f1d828ba40c5" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791", "deleted": false, "disable_correlation": false, "timestamp": "1486626279", "to_ids": false, "type": "link", "uuid": "589c1de7-49c0-44ea-a90c-4e8202de0b81", "value": "https://www.virustotal.com/file/ed3a685ca65de70b79faf95bbd94c343e73a150e83184f67e0bdb35b11d05791/analysis/1486609351/" } ] } }