{ "Event": { "analysis": "2", "date": "2018-03-24", "extends_uuid": "", "info": "OSINT - The DiskWriter or UselessDisk BootLocker May Be A Wiper", "publish_timestamp": "1523201513", "published": true, "threat_level_id": "3", "timestamp": "1523201507", "uuid": "5ac6140f-5964-4eb8-81bd-4095950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"UselessDisk\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523200401", "to_ids": false, "type": "link", "uuid": "5ac61454-3594-46fd-8de1-3be0950d210f", "value": "https://www.bleepingcomputer.com/news/security/the-diskwriter-or-uselessdisk-bootlocker-may-be-a-wiper/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523200402", "to_ids": false, "type": "comment", "uuid": "5ac61490-bc28-4c77-9fd7-4e33950d210f", "value": "A new MBR bootlocker called DiskWriter, or UselessDisk, has been discovered that overwrites the MBR of a victim's computer and then displays a ransom screen on reboot instead of booting into Windows. This ransom note asks for $300 in bitcoins in order to gain access to Windows again.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523200402", "to_ids": true, "type": "filename", "uuid": "5ac619b3-39f4-4bdc-a22f-3be0950d210f", "value": "DiskWriter.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523200402", "to_ids": true, "type": "filename", "uuid": "5ac619b3-b258-4e49-9904-3be0950d210f", "value": "UselessDisk.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523200403", "to_ids": true, "type": "filename", "uuid": "5ac619b4-3ee4-4c02-9e4c-3be0950d210f", "value": "E:\\Debug\\UselessDisk.pdb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1522932166", "to_ids": true, "type": "sha256", "uuid": "5ac619c6-84f0-4be7-b49c-4511950d210f", "value": "bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1523201493", "to_ids": true, "type": "pdb", "uuid": "5aca35d5-3dd4-487d-bb2a-621b02de0b81", "value": "E:\\Debug\\UselessDisk.pdb" } ], "Object": [ { "comment": "", "deleted": false, "description": "An address used in a cryptocurrency", "meta-category": "financial", "name": "coin-address", "template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", "template_version": "2", "timestamp": "1522931877", "uuid": "5ac618a5-04fc-424c-b54d-43e7950d210f", "Attribute": [ { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "address", "timestamp": "1522931877", "to_ids": true, "type": "btc", "uuid": "5ac618a5-2194-4990-a478-4713950d210f", "value": "1GZCw453MzQr8V2VAgJpRmKBYRDUJ8kzco" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "symbol", "timestamp": "1522931878", "to_ids": false, "type": "text", "uuid": "5ac618a6-7594-437a-bcfe-42d5950d210f", "value": "BTC" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1523200406", "uuid": "b36edfe1-10b3-4ce6-850c-48fec67da615", "ObjectReference": [ { "comment": "", "object_uuid": "b36edfe1-10b3-4ce6-850c-48fec67da615", "referenced_uuid": "5d9c2b1a-eb9d-409e-9145-b203188a65aa", "relationship_type": "analysed-with", "timestamp": "1523200406", "uuid": "5aca3196-9f14-4808-8b48-61c702de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1523200403", "to_ids": true, "type": "sha1", "uuid": "5aca3193-cbec-467d-b20d-61c702de0b81", "value": "363605836bf4ee34d9dfb43a6e71acdfd2b2cebe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1523200404", "to_ids": true, "type": "sha256", "uuid": "5aca3194-4924-4814-9a0c-61c702de0b81", "value": "bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1523200404", "to_ids": true, "type": "md5", "uuid": "5aca3194-103c-4716-8158-61c702de0b81", "value": "577be8c5b73e59fb71570f632349e5fe" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1523200405", "uuid": "5d9c2b1a-eb9d-409e-9145-b203188a65aa", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1523200405", "to_ids": false, "type": "link", "uuid": "5aca3195-62bc-4071-8d07-61c702de0b81", "value": "https://www.virustotal.com/file/bf664370a287f83a67eb9ec01d575cad3bcdfbec2e2290a5e8d570999566e79e/analysis/1522221142/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1523200405", "to_ids": false, "type": "text", "uuid": "5aca3195-0948-47b7-b12b-61c702de0b81", "value": "47/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1523200405", "to_ids": false, "type": "datetime", "uuid": "5aca3195-2d94-4f77-8ccd-61c702de0b81", "value": "2018-03-28T07:12:22" } ] } ] } }