{ "Event": { "analysis": "2", "date": "2016-04-12", "extends_uuid": "", "info": "Rokku Ransomware shows possible link with Chimera", "publish_timestamp": "1460444472", "published": true, "threat_level_id": "3", "timestamp": "1460444381", "uuid": "570c9b9a-dc20-448a-8f24-443f950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444092", "to_ids": false, "type": "comment", "uuid": "570c9bbc-3e44-4a98-b0d3-4aea950d210f", "value": "Rokku is yet another ransomware, discovered in recent weeks. Currently, it\u00e2\u20ac\u2122s most common distribution method is spam where a malicious executable is dropped by a VB script belonging to the e-mail\u00e2\u20ac\u2122s attachment.\r\n\r\nThe building blocks of Rokku reminded us of the Chimera ransomware. That\u00e2\u20ac\u2122s why we decided to take a closer look, not only at the internal structure of this malware but also at the similarities and differences between these two products." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444104", "to_ids": false, "type": "link", "uuid": "570c9bc8-fcd0-4608-b703-4848950d210f", "value": "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/" }, { "category": "Payload delivery", "comment": "original executable (malware)", "deleted": false, "disable_correlation": false, "timestamp": "1460444173", "to_ids": true, "type": "md5", "uuid": "570c9c0d-b684-4990-8b90-4dcc950d210f", "value": "97512f4617019c907cd0f88193039e7c" }, { "category": "Payload delivery", "comment": "UPX layer removed (malware)", "deleted": false, "disable_correlation": false, "timestamp": "1460444173", "to_ids": true, "type": "md5", "uuid": "570c9c0d-bc48-4fc6-b1dc-4f17950d210f", "value": "5a0e3a6e3106e754381bd1cc3295c97f" }, { "category": "Payload delivery", "comment": "payload: encryptor.dll (malware) - the analysis", "deleted": false, "disable_correlation": false, "timestamp": "1460444173", "to_ids": true, "type": "md5", "uuid": "570c9c0d-addc-4cd3-85fd-4956950d210f", "value": "be6552aed5e7509b3b539cef8a965131" }, { "category": "Payload delivery", "comment": "original executable: decryptor.exe (decryptor)", "deleted": false, "disable_correlation": false, "timestamp": "1460444235", "to_ids": true, "type": "md5", "uuid": "570c9c4b-6ad4-427e-8c07-489e950d210f", "value": "82fea20bb4c96050b4cf55f83de0f3e6" }, { "category": "Payload delivery", "comment": "UPX layer removed (decryptor)", "deleted": false, "disable_correlation": false, "timestamp": "1460444235", "to_ids": true, "type": "md5", "uuid": "570c9c4b-53c4-464c-9303-4c91950d210f", "value": "1be4a0932a66ebdb9ede56214d8ccdf9" }, { "category": "Artifacts dropped", "comment": "Finally, removing backups and stopping backup services is performed \u00e2\u20ac\u201c by execution of the following commands:", "deleted": false, "disable_correlation": false, "timestamp": "1460444292", "to_ids": false, "type": "comment", "uuid": "570c9c84-3d14-4715-b999-48cf950d210f", "value": "wmic shadowcopy delete /nointeractive\r\nvssadmin delete shadows /all /quiet\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\VSS\" /v Start /t REG_DWORD /d 4 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v DisableSR /t REG_DWORD /d 1 /f\r\nnet stop vss\r\nnet stop swprv\r\nnet stop srservice" }, { "category": "Payload delivery", "comment": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9", "deleted": false, "disable_correlation": false, "timestamp": "1460444381", "to_ids": true, "type": "sha256", "uuid": "570c9cdd-39d8-4f9e-802c-402702de0b81", "value": "09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc" }, { "category": "Payload delivery", "comment": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9", "deleted": false, "disable_correlation": false, "timestamp": "1460444381", "to_ids": true, "type": "sha1", "uuid": "570c9cdd-79fc-450e-86b0-486a02de0b81", "value": "27e46208f348de4df378c8646c14f499d2290793" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444382", "to_ids": false, "type": "link", "uuid": "570c9cde-1aac-4cde-b159-451302de0b81", "value": "https://www.virustotal.com/file/09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc/analysis/1459878434/" }, { "category": "Payload delivery", "comment": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6", "deleted": false, "disable_correlation": false, "timestamp": "1460444382", "to_ids": true, "type": "sha256", "uuid": "570c9cde-b944-4147-a64c-42fd02de0b81", "value": "e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87" }, { "category": "Payload delivery", "comment": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6", "deleted": false, "disable_correlation": false, "timestamp": "1460444382", "to_ids": true, "type": "sha1", "uuid": "570c9cde-06ac-4ace-8186-4ff702de0b81", "value": "035af05addaf8cf9c103bbb27b355477ce336cc1" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444383", "to_ids": false, "type": "link", "uuid": "570c9cdf-4e74-4cf3-b93a-4e9c02de0b81", "value": "https://www.virustotal.com/file/e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87/analysis/1459878217/" }, { "category": "Payload delivery", "comment": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131", "deleted": false, "disable_correlation": false, "timestamp": "1460444383", "to_ids": true, "type": "sha256", "uuid": "570c9cdf-7d2c-4580-bef9-44be02de0b81", "value": "186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51" }, { "category": "Payload delivery", "comment": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131", "deleted": false, "disable_correlation": false, "timestamp": "1460444383", "to_ids": true, "type": "sha1", "uuid": "570c9cdf-e470-4fbf-b638-46eb02de0b81", "value": "da1ad69f282ae49a0af6aa7bef190f434ac18c7b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444384", "to_ids": false, "type": "link", "uuid": "570c9ce0-0140-46c7-b4b9-4a6402de0b81", "value": "https://www.virustotal.com/file/186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51/analysis/1459758054/" }, { "category": "Payload delivery", "comment": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f", "deleted": false, "disable_correlation": false, "timestamp": "1460444384", "to_ids": true, "type": "sha256", "uuid": "570c9ce0-f1b0-4d89-b14f-4ff202de0b81", "value": "1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983" }, { "category": "Payload delivery", "comment": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f", "deleted": false, "disable_correlation": false, "timestamp": "1460444384", "to_ids": true, "type": "sha1", "uuid": "570c9ce0-92c4-4f1c-a35c-403102de0b81", "value": "49239500b0510ce7643c48ebfaf6c9e35aa1cce5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444385", "to_ids": false, "type": "link", "uuid": "570c9ce1-ac20-4b2a-8b30-44e702de0b81", "value": "https://www.virustotal.com/file/1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983/analysis/1459828258/" }, { "category": "Payload delivery", "comment": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c", "deleted": false, "disable_correlation": false, "timestamp": "1460444385", "to_ids": true, "type": "sha256", "uuid": "570c9ce1-c698-48aa-b27a-46e602de0b81", "value": "438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499" }, { "category": "Payload delivery", "comment": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c", "deleted": false, "disable_correlation": false, "timestamp": "1460444385", "to_ids": true, "type": "sha1", "uuid": "570c9ce1-5af8-482a-a990-46c702de0b81", "value": "24cfa261ee30f697e7d1e2215eee1c21eebf4579" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1460444385", "to_ids": false, "type": "link", "uuid": "570c9ce1-6d14-459a-8a69-4f7502de0b81", "value": "https://www.virustotal.com/file/438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499/analysis/1459900992/" } ] } }