{ "Event": { "analysis": "2", "date": "2016-04-12", "extends_uuid": "", "info": "OSINT - New Locky Variant Implements Evasion Techniques", "publish_timestamp": "1460444609", "published": true, "threat_level_id": "3", "timestamp": "1460444521", "uuid": "570c9451-ec50-4ecc-b031-47b4950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460442241", "to_ids": false, "type": "link", "uuid": "570c9481-4494-46ca-8e1c-4786950d210f", "value": "http://blog.checkpoint.com/2016/04/11/new-locky-variant-implements-evasion-techniques/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460442257", "to_ids": false, "type": "comment", "uuid": "570c9491-25e4-444a-908a-4f6f950d210f", "value": "Following Check Point\u00e2\u20ac\u2122s recent discovery of a new communication scheme implemented by the Locky ransomware, our research teams decided to take a closer look at the inner workings of this new variant and map any new features it introduces.\r\n\r\nWhen Locky first appeared, we thoroughly analyzed its logic, like many other industry researchers. Our analysis showed that while not very sophisticated, Locky is a very efficient malware with a solid functionality and encryption algorithms. Judging by the amount of victim reports and detections generated by Locky in the past month alone, it is safe to say our observation was indeed correct.\r\n\r\nLocky\u00e2\u20ac\u2122s major drawback is not in its code, but rather in the quick and effective response by the security industry. Many successful security detections, on almost any possible security platform, caused the actors behind Locky to miss out on potential victims, as the malware was blocked from execution or even blocked altogether by internet gateways, not reaching the victim\u00e2\u20ac\u2122s computer at all. The changes we observed in this new Locky variant clearly show the Locky creators are very much aware of this fact, and therefore increased their efforts to evade security controls to gain a higher infection rate." }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444504", "to_ids": true, "type": "sha256", "uuid": "570c9d58-bdb8-44a3-bf86-430f950d210f", "value": "8f708c299215e2d0e8ce557c96ec771acdbbfffa46a25330caa61fe841e23877" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444504", "to_ids": true, "type": "sha256", "uuid": "570c9d58-4dfc-4c71-adb5-4fd9950d210f", "value": "003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444504", "to_ids": true, "type": "sha256", "uuid": "570c9d58-c0e8-4224-88f7-4b29950d210f", "value": "2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444505", "to_ids": true, "type": "sha256", "uuid": "570c9d59-78b8-4656-b296-4ec1950d210f", "value": "5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444505", "to_ids": true, "type": "sha256", "uuid": "570c9d59-401c-4127-9ce6-4bfb950d210f", "value": "588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444506", "to_ids": true, "type": "sha256", "uuid": "570c9d5a-2f18-4044-93b5-4ad0950d210f", "value": "64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444506", "to_ids": true, "type": "sha256", "uuid": "570c9d5a-4d48-46f5-81f3-484a950d210f", "value": "a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444506", "to_ids": true, "type": "sha256", "uuid": "570c9d5a-b614-4327-b70d-4c76950d210f", "value": "a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444507", "to_ids": true, "type": "sha256", "uuid": "570c9d5b-31d8-4216-ba1c-4782950d210f", "value": "abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444507", "to_ids": true, "type": "sha256", "uuid": "570c9d5b-7114-42d6-b606-48b7950d210f", "value": "e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691" }, { "category": "Payload delivery", "comment": "Sample", "deleted": false, "disable_correlation": false, "timestamp": "1460444507", "to_ids": true, "type": "sha256", "uuid": "570c9d5b-4004-4d49-9ebe-4dd2950d210f", "value": "f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e", "deleted": false, "disable_correlation": false, "timestamp": "1460444521", "to_ids": true, "type": "sha1", "uuid": "570c9d69-deac-40cc-a8ab-434502de0b81", "value": "16cc2d7f4892114c2d6c2a134e923e693868c711" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e", "deleted": false, "disable_correlation": false, "timestamp": "1460444521", "to_ids": true, "type": "md5", "uuid": "570c9d69-413c-4c5c-a624-497f02de0b81", "value": "b686846507cfdbf480e8002ca12ad2f1" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444521", "to_ids": false, "type": "link", "uuid": "570c9d69-599c-46bb-93ae-47a402de0b81", "value": "https://www.virustotal.com/file/f229c3ffa4de0bd43eaf1f7cbad920147982dd79f6032027117e23d5f6369f7e/analysis/1460375902/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691", "deleted": false, "disable_correlation": false, "timestamp": "1460444522", "to_ids": true, "type": "sha1", "uuid": "570c9d6a-5670-4c74-a38f-4b9502de0b81", "value": "9d4f5902806c4030e6aa1f89f4a5b30f871b34d2" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691", "deleted": false, "disable_correlation": false, "timestamp": "1460444522", "to_ids": true, "type": "md5", "uuid": "570c9d6a-0840-4603-8eb0-4ede02de0b81", "value": "4baa17713e2937d31aaaa327ee4af83a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444522", "to_ids": false, "type": "link", "uuid": "570c9d6a-f8dc-4480-a3e9-433b02de0b81", "value": "https://www.virustotal.com/file/e608637e38fc964bee96984ed568e5095451787030d6a8f75bf9be8511a91691/analysis/1460405757/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5", "deleted": false, "disable_correlation": false, "timestamp": "1460444523", "to_ids": true, "type": "sha1", "uuid": "570c9d6b-07f8-4bfe-ab59-48d302de0b81", "value": "f32cc53d6fd08efbe38530b5c32651a432380733" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5", "deleted": false, "disable_correlation": false, "timestamp": "1460444523", "to_ids": true, "type": "md5", "uuid": "570c9d6b-d740-4b20-8476-40c202de0b81", "value": "deaa2618c7c021fe99e742633768d7f6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444523", "to_ids": false, "type": "link", "uuid": "570c9d6b-7534-4119-88f2-40a102de0b81", "value": "https://www.virustotal.com/file/abf1caa982e32c8eb73916083504d42e6851fcbc09772a52e815df0e4fbdcdb5/analysis/1460160638/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518", "deleted": false, "disable_correlation": false, "timestamp": "1460444523", "to_ids": true, "type": "sha1", "uuid": "570c9d6b-8278-455e-ac9f-4a7a02de0b81", "value": "a8b628d6cd9da9c15fe257ad1c4df193f3e106ec" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518", "deleted": false, "disable_correlation": false, "timestamp": "1460444524", "to_ids": true, "type": "md5", "uuid": "570c9d6c-464c-433a-909c-4f6d02de0b81", "value": "3bbe188f3cfe4a013a0c0050b1e500aa" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444524", "to_ids": false, "type": "link", "uuid": "570c9d6c-4eac-4223-83be-49c802de0b81", "value": "https://www.virustotal.com/file/a5dc65cbe073898d09d2e07480f430a585cb309316cb4a32e3548b68c7416518/analysis/1460053639/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c", "deleted": false, "disable_correlation": false, "timestamp": "1460444525", "to_ids": true, "type": "sha1", "uuid": "570c9d6d-4c88-4759-b81c-433402de0b81", "value": "982a12e64a3ea4042a07727c767d137745b771a9" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c", "deleted": false, "disable_correlation": false, "timestamp": "1460444525", "to_ids": true, "type": "md5", "uuid": "570c9d6d-22ac-402c-ab98-4a6602de0b81", "value": "8f622a4e2bce80717c71ca255af04c51" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444525", "to_ids": false, "type": "link", "uuid": "570c9d6d-0e78-423b-91eb-480302de0b81", "value": "https://www.virustotal.com/file/a2e965cde2b734cc99a8f69ad1a7549ba740c5983a90490f6a3701ca2bca966c/analysis/1459941472/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d", "deleted": false, "disable_correlation": false, "timestamp": "1460444526", "to_ids": true, "type": "sha1", "uuid": "570c9d6e-f308-4bcc-98a8-47cf02de0b81", "value": "c869a3a1030f19a1cf5e1656e3d747eee51b2ba8" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d", "deleted": false, "disable_correlation": false, "timestamp": "1460444526", "to_ids": true, "type": "md5", "uuid": "570c9d6e-db38-4f2f-aa28-46ba02de0b81", "value": "3621540d2088c6b1215a4a965348a333" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444526", "to_ids": false, "type": "link", "uuid": "570c9d6e-ac6c-4287-8f7a-474402de0b81", "value": "https://www.virustotal.com/file/64d51aaf4abe4e87013056277277f05c55c6554d2a7005374f254983ac846c4d/analysis/1460251565/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4", "deleted": false, "disable_correlation": false, "timestamp": "1460444526", "to_ids": true, "type": "sha1", "uuid": "570c9d6e-22e8-4fca-b406-48d602de0b81", "value": "1048807f48dd1a8b72bb36903930a91014638afd" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4", "deleted": false, "disable_correlation": false, "timestamp": "1460444527", "to_ids": true, "type": "md5", "uuid": "570c9d6f-0410-4443-8036-48a802de0b81", "value": "f79c950fa3efc3bb29a4f15ae05448f2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444527", "to_ids": false, "type": "link", "uuid": "570c9d6f-cfa8-402c-a027-42c802de0b81", "value": "https://www.virustotal.com/file/588dfcfe90feaedc724b80919b580e4398f1b8474f5aae979de0e76e7c6c07e4/analysis/1459908170/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051", "deleted": false, "disable_correlation": false, "timestamp": "1460444527", "to_ids": true, "type": "sha1", "uuid": "570c9d6f-ab88-4ce2-8f07-4c7702de0b81", "value": "251b2892efb68540bfca93c092ac88c47f3f629e" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051", "deleted": false, "disable_correlation": false, "timestamp": "1460444528", "to_ids": true, "type": "md5", "uuid": "570c9d70-3bd4-41c1-9e82-437f02de0b81", "value": "8dacc97d71cefc25bad375a9b5bc67d4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444528", "to_ids": false, "type": "link", "uuid": "570c9d70-3e9c-46ae-8993-4d5d02de0b81", "value": "https://www.virustotal.com/file/5780dde27ff31a38c269e763f3648bdabcad25d5db083c43c55502fdefe9f051/analysis/1459958907/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d", "deleted": false, "disable_correlation": false, "timestamp": "1460444528", "to_ids": true, "type": "sha1", "uuid": "570c9d70-d444-4f7a-8d3b-4c0a02de0b81", "value": "412eb41a02682d056c61cb03c30852d397c7132c" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d", "deleted": false, "disable_correlation": false, "timestamp": "1460444529", "to_ids": true, "type": "md5", "uuid": "570c9d71-007c-4df4-a1db-47ba02de0b81", "value": "d8771f8d6fc74f03c453dc06284e5f5e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444529", "to_ids": false, "type": "link", "uuid": "570c9d71-864c-4ae7-af74-42a802de0b81", "value": "https://www.virustotal.com/file/2674aebd85c3d0a384edf57c82ef22b3de5fa8aaa1217f80a1d47f71d71ae87d/analysis/1459872907/" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3", "deleted": false, "disable_correlation": false, "timestamp": "1460444529", "to_ids": true, "type": "sha1", "uuid": "570c9d71-1c64-46b8-be3e-4dc302de0b81", "value": "456ca2c7c5b1fe65db7b26810cf2e2a89b8eb2c9" }, { "category": "Payload delivery", "comment": "Sample - Xchecked via VT: 003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3", "deleted": false, "disable_correlation": false, "timestamp": "1460444529", "to_ids": true, "type": "md5", "uuid": "570c9d71-faa8-4253-95ce-4fa002de0b81", "value": "ec0fae82b75ee1d7ce72b49d97dec4a1" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444530", "to_ids": false, "type": "link", "uuid": "570c9d72-7658-4ae1-a57c-4ce402de0b81", "value": "https://www.virustotal.com/file/003d28f180472b832722435d27e216835a8a330f992797006d307f8f14c4a2d3/analysis/1460015668/" } ] } }