{ "Event": { "analysis": "2", "date": "2017-08-31", "extends_uuid": "", "info": "OSINT - Active ransomware attack uses impersonation and embedded advanced threats", "publish_timestamp": "1514467840", "published": true, "threat_level_id": "3", "timestamp": "1513738826", "uuid": "5a37887b-efe0-43ba-8542-435c950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#2c4f00", "name": "malware_classification:malware-category=\"Ransomware\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1513594331", "to_ids": false, "type": "comment", "uuid": "5a378895-b7d8-49b2-a28c-44ca950d210f", "value": "In this attack, the source of the email is a spoofed address, and the attachment name and number is included in the subject line and body of the message. The full subject line in this example is \u00e2\u20ac\u0153Emailing: Payment_201708-6165\u00e2\u20ac\u009d and the number in the attachment name is variable.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1513594331", "to_ids": false, "type": "link", "uuid": "5a3788f1-413c-4fb5-aba2-4898950d210f", "value": "https://blog.barracuda.com/2017/08/31/active-ransomware-attack-uses-impersonation-and-embedded-advanced-threats/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1513589237", "uuid": "5a3789f2-9004-4a04-a2e8-473b950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5a3789f2-9004-4a04-a2e8-473b950d210f", "referenced_uuid": "bd9400ef-6830-41e8-bf08-6f8a05193923", "relationship_type": "analysed-with", "timestamp": "1514467840", "uuid": "5a379ddc-38ec-4f08-9690-488602de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1513589234", "to_ids": true, "type": "sha1", "uuid": "5a3789f2-4988-41dd-aa0a-4493950d210f", "value": "d5d67631683c9e3d5021334477746a1e64ea2dff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1513589234", "to_ids": true, "type": "sha256", "uuid": "5a3789f2-4a8c-492b-b682-4096950d210f", "value": "87d0d011b8b456ce8fa15afea8df5e5fbf1bad5cb3305272016ca0db9c204d90" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1513589234", "to_ids": true, "type": "md5", "uuid": "5a3789f2-dab8-4ded-819b-4cda950d210f", "value": "fa527ff057e1be5101da4481d38ba968" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1513589234", "to_ids": false, "type": "text", "uuid": "5a3789f2-f5ac-40c3-ad1a-4237950d210f", "value": "Malicious" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "size-in-bytes", "timestamp": "1513589234", "to_ids": false, "type": "size-in-bytes", "uuid": "5a3789f2-80d8-4064-8e0b-4f0f950d210f", "value": "20363" } ] }, { "comment": "", "deleted": false, "description": "Email object describing an email with meta-information", "meta-category": "network", "name": "email", "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "template_version": "7", "timestamp": "1513590107", "uuid": "5a378d5b-bcac-4fda-816f-48e8950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "number is variable", "deleted": false, "disable_correlation": false, "object_relation": "subject", "timestamp": "1513590107", "to_ids": false, "type": "email-subject", "uuid": "5a378d5b-d8b4-4f80-9933-41c1950d210f", "value": "Emailing: Payment_201708-1160" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "attachment", "timestamp": "1513590107", "to_ids": true, "type": "email-attachment", "uuid": "5a378d5b-f760-4ef6-bee5-47c1950d210f", "value": "201708-1160.7z" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "send-date", "timestamp": "1513590107", "to_ids": false, "type": "datetime", "uuid": "5a378d5b-6eec-49c0-9a98-4079950d210f", "value": "2017-08-30T02:13:17" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1513594331", "uuid": "bd9400ef-6830-41e8-bf08-6f8a05193923", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1513594332", "to_ids": false, "type": "link", "uuid": "5a379ddc-112c-41c3-ae7e-441602de0b81", "value": "https://www.virustotal.com/file/87d0d011b8b456ce8fa15afea8df5e5fbf1bad5cb3305272016ca0db9c204d90/analysis/1505917656/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1513594332", "to_ids": false, "type": "text", "uuid": "5a379ddc-e090-4f00-a188-4ad902de0b81", "value": "37/59" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1513594332", "to_ids": false, "type": "datetime", "uuid": "5a379ddc-6838-4c7d-92e3-459f02de0b81", "value": "2017-09-20T14:27:36" } ] } ] } }