{ "Event": { "analysis": "2", "date": "2017-06-27", "extends_uuid": "", "info": "OSINT - D\u00c3\u00a9j\u00c3\u00a0 vu: Petya ransomware appears with SMB propagation capabilities", "publish_timestamp": "1498593909", "published": true, "threat_level_id": "3", "timestamp": "1498593781", "uuid": "5952b89d-104c-436d-a8bd-476202de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#2c4f00", "local": "0", "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:ransomware=\"Petya\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "text", "uuid": "5952b8a9-0554-49ea-b10b-481602de0b81", "value": "The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands [1].\r\n\r\nWhile many may be loath to think back six weeks to the trauma of May\u00e2\u20ac\u2122s WannaCry outbreak (https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b951-4e0c-43af-96a9-4d8b02de0b81", "value": "https://blogs.forcepoint.com/security-labs/deja-vu-petya-ransomware-appears-smb-propagation-capabilities" }, { "category": "Payload delivery", "comment": "orcepoint Security Labs has analysed one sample associated with the outbreak", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": true, "type": "sha256", "uuid": "5952b96c-d99c-4a1c-bbd7-4bf802de0b81", "value": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b995-7028-4073-bd6b-10ed02de0b81", "value": "http://www.ad.nl/rotterdam/grote-hack-bij-maersk-legt-rotterdamse-containerterminal-plat~a60dd307/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b995-7fd8-4b6e-8c34-10ed02de0b81", "value": "https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b995-7480-46b3-b11a-10ed02de0b81", "value": "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b995-2c9c-4ad0-a55b-10ed02de0b81", "value": "https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012" }, { "category": "Financial fraud", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": true, "type": "btc", "uuid": "5952b9a4-f444-4b57-a179-10e402de0b81", "value": "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" }, { "category": "Payload delivery", "comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": true, "type": "sha1", "uuid": "5952b9cc-63e4-4af1-899f-49b502de0b81", "value": "34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d" }, { "category": "Payload delivery", "comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": true, "type": "md5", "uuid": "5952b9cc-d418-44c1-a185-462502de0b81", "value": "71b6a493388e7d0b40c83ce903bc6b04" }, { "category": "External analysis", "comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745", "deleted": false, "disable_correlation": false, "timestamp": "1498593740", "to_ids": false, "type": "link", "uuid": "5952b9cc-0848-4d44-bfac-495302de0b81", "value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1498592986/" } ] } }