{ "Event": { "analysis": "2", "date": "2017-10-25", "extends_uuid": "", "info": "OSINT - Bad Rabbit: Not-Petya is back with improved ransomware", "publish_timestamp": "1514467254", "published": true, "threat_level_id": "3", "timestamp": "1511385587", "uuid": "59f049c0-aae0-47d2-a888-4021950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:ransomware=\"Bad Rabbit\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": "0", "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:preventive-measure=\"Backup and Restore Process\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:preventive-measure=\"Restrict Workstation Communication\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921673", "to_ids": false, "type": "link", "uuid": "59f049cf-329c-4504-a63c-4974950d210f", "value": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "ip-dst", "uuid": "59f04b31-f73c-4d20-95b5-4edf950d210f", "value": "185.149.120.3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": false, "type": "comment", "uuid": "59f04b48-223c-4642-a5cf-412c950d210f", "value": "A new ransomware outbreak today and has hit some major infrastructure in Ukraine including Kiev metro.", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "domain", "uuid": "59f04b70-32f4-4c4b-bd74-4775950d210f", "value": "1dnscontrol.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508920176", "to_ids": true, "type": "filename", "uuid": "59f04b70-a00c-47a5-903e-44f2950d210f", "value": "install_flash_player.exe" }, { "category": "Payload delivery", "comment": "Mimikatz (32-bits)", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "sha1", "uuid": "59f04c8f-fba0-4775-913a-4a4f950d210f", "value": "413eba3973a15c1a6429d9f170f3e8287f98c21c" }, { "category": "Payload delivery", "comment": "Mimikatz (64-bits)", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "sha1", "uuid": "59f04c8f-046c-41dc-a600-4306950d210f", "value": "16605a4a29a101208457c47ebfde788487be788d" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04d24-9424-49ec-86bc-403c950d210f", "value": "http://caforssztxqzf2nm.onion" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04d24-f6a4-4278-b3b5-406d950d210f", "value": "http://185.149.120.3/scholargoogle/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04d24-0348-4b41-8e40-4887950d210f", "value": "http://1dnscontrol.com/flash_install.php" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-4f04-4174-a93d-4c9d950d210f", "value": "http://argumentiru.com" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-3e78-47fc-ad92-4866950d210f", "value": "http://www.fontanka.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-9890-46f0-b252-4884950d210f", "value": "http://grupovo.bg" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-de28-4f39-a955-43c6950d210f", "value": "http://www.sinematurk.com" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-7564-446e-80f5-4717950d210f", "value": "http://www.aica.co.jp" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-d780-4e3e-a215-44b3950d210f", "value": "http://spbvoditel.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-bcc0-415d-9588-4111950d210f", "value": "http://argumenti.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-4838-45fc-b75c-48b9950d210f", "value": "http://www.mediaport.ua" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-4dc8-470d-9268-45bd950d210f", "value": "http://blog.fontanka.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-0600-4c83-8d3a-41ae950d210f", "value": "http://an-crimea.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-7eb8-4933-a170-4c3e950d210f", "value": "http://www.t.ks.ua" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-7b94-4be1-a497-42c2950d210f", "value": "http://most-dnepr.info" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-fe88-4850-b260-4b7d950d210f", "value": "http://osvitaportal.com.ua" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-8294-4d84-862f-46d7950d210f", "value": "http://www.otbrana.com" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-3198-4485-8eae-4833950d210f", "value": "http://calendar.fontanka.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-9858-4feb-ad80-4183950d210f", "value": "http://www.grupovo.bg" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-7448-4f85-b71a-48d7950d210f", "value": "http://www.pensionhotel.cz" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-7d48-426d-9d85-4d32950d210f", "value": "http://www.online812.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-fc80-4ddf-822f-47b2950d210f", "value": "http://www.imer.ro" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-c6e8-4de1-a60a-42c8950d210f", "value": "http://novayagazeta.spb.ru" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-b9c0-485f-b2c3-42cb950d210f", "value": "http://i24.com.ua" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-4fc4-4b03-927f-4c92950d210f", "value": "http://bg.pensionhotel.com" }, { "category": "Network activity", "comment": "compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "url", "uuid": "59f04ddf-e83c-4d61-b9ab-43ea950d210f", "value": "http://ankerch-crimea.ru" }, { "category": "Payload delivery", "comment": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "sha256", "uuid": "59f0514a-7310-4dad-b3b1-490002de0b81", "value": "2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035" }, { "category": "Payload delivery", "comment": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "md5", "uuid": "59f0514a-df70-416c-bfae-445f02de0b81", "value": "37945c44a897aa42a66adcab68f560e0" }, { "category": "External analysis", "comment": "Mimikatz (64-bits) - Xchecked via VT: 16605a4a29a101208457c47ebfde788487be788d", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": false, "type": "link", "uuid": "59f0514a-7f84-4846-ba38-449302de0b81", "value": "https://www.virustotal.com/file/2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035/analysis/1508915760/" }, { "category": "Payload delivery", "comment": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "sha256", "uuid": "59f0514a-b3d0-4191-a490-440802de0b81", "value": "301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c" }, { "category": "Payload delivery", "comment": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": true, "type": "md5", "uuid": "59f0514a-1be4-4e5c-8fff-48cc02de0b81", "value": "347ac3b6b791054de3e5720a7144a977" }, { "category": "External analysis", "comment": "Mimikatz (32-bits) - Xchecked via VT: 413eba3973a15c1a6429d9f170f3e8287f98c21c", "deleted": false, "disable_correlation": false, "timestamp": "1508921674", "to_ids": false, "type": "link", "uuid": "59f0514a-f0d8-4972-9b45-40cb02de0b81", "value": "https://www.virustotal.com/file/301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c/analysis/1508918790/" } ], "Object": [ { "comment": "Diskcoder", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "3", "timestamp": "1508921861", "uuid": "59f04c50-0864-406b-b9fd-4797950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "59f04c50-0864-406b-b9fd-4797950d210f", "referenced_uuid": "59f04cab-7520-4c5d-b6d7-4f46950d210f", "relationship_type": "dropped-by", "timestamp": "1508921858", "uuid": "59f05202-85f0-4f57-8f6c-4940950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1508920400", "to_ids": true, "type": "filename", "uuid": "59f04c50-54bc-44c5-8b25-4ceb950d210f", "value": "infpub.dat" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1508920400", "to_ids": true, "type": "sha1", "uuid": "59f04c50-93b0-4a68-aa51-4042950d210f", "value": "79116fe99f2b421c52ef64097f0f39b815b20907" } ] }, { "comment": "Lockscreen", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "3", "timestamp": "1508921972", "uuid": "59f04c7a-1ee8-472b-93b7-4f06950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "59f04c7a-1ee8-472b-93b7-4f06950d210f", "referenced_uuid": "59f04c50-0864-406b-b9fd-4797950d210f", "relationship_type": "dropped-by", "timestamp": "1508921969", "uuid": "59f05271-6fac-4f63-9bf2-4028950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1508920442", "to_ids": true, "type": "filename", "uuid": "59f04c7a-5c84-488a-9acd-4e27950d210f", "value": "dispci.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1508920442", "to_ids": true, "type": "sha1", "uuid": "59f04c7a-3490-4017-9aa1-48cc950d210f", "value": "afeee8b4acff87bc469a6f0364a81ae5d60a2add" } ] }, { "comment": "Dropper", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "3", "timestamp": "1508921843", "uuid": "59f04cab-7520-4c5d-b6d7-4f46950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "59f04cab-7520-4c5d-b6d7-4f46950d210f", "referenced_uuid": "59f04cf4-0f54-4525-8d29-453f950d210f", "relationship_type": "dropped-by", "timestamp": "1508921840", "uuid": "59f051f0-9fa4-4ba0-84d3-4a37950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1508920491", "to_ids": true, "type": "filename", "uuid": "59f04cab-ca10-4e65-bdc2-4658950d210f", "value": "install_flash_player.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1508920491", "to_ids": true, "type": "sha1", "uuid": "59f04cab-4674-4ca3-9c66-4d8e950d210f", "value": "de5c8d858e6e41da715dca1c019df0bfb92d32c0" } ] }, { "comment": "JavaScript on compromised sites", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "3", "timestamp": "1508920564", "uuid": "59f04cf4-0f54-4525-8d29-453f950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1508920564", "to_ids": true, "type": "filename", "uuid": "59f04cf4-3220-4295-ab59-4dce950d210f", "value": "page-main.js" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1508920564", "to_ids": true, "type": "sha1", "uuid": "59f04cf4-6ddc-4387-823f-41b3950d210f", "value": "4f61e154230a64902ae035434690bf2b96b4e018" } ] } ] } }