{ "Event": { "analysis": "2", "date": "2015-04-30", "extends_uuid": "", "info": "OSINT Dalexis/CTB-Locker malspam campaign by SANS Internet Storm Center", "publish_timestamp": "1430743114", "published": true, "threat_level_id": "3", "timestamp": "1430732768", "uuid": "55473e1b-e828-4fe9-ba30-dd1b950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732328", "to_ids": false, "type": "link", "uuid": "55473e28-9758-4548-a2e8-dd36950d210b", "value": "https://isc.sans.edu/diary/DalexisCTB-Locker+malspam+campaign/19641" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732428", "to_ids": false, "type": "text", "uuid": "55473e8c-b778-4465-bc47-4e7f950d210b", "value": "Dalexis" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732428", "to_ids": false, "type": "text", "uuid": "55473e8c-05bc-4de4-b271-432f950d210b", "value": "CTB-Locker" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732474", "to_ids": false, "type": "link", "uuid": "55473eba-6368-4f39-ab0a-40cb950d210b", "value": "https://malwr.com/analysis/OTVjMzRjZDFjNWYwNDlmYzk4MTVmOWRlM2IzMmVkN2Y/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732474", "to_ids": false, "type": "link", "uuid": "55473eba-65e8-4bbb-b986-4d66950d210b", "value": "https://malwr.com/analysis/M2NlYmU3YmIwMzM0NGY1NTk4MTBjMzM0ZmZmZmZmZTE/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732475", "to_ids": false, "type": "link", "uuid": "55473ebb-06dc-4738-9dff-4a52950d210b", "value": "http://www.malware-traffic-analysis.net/2015/04/28/2015-04-28-Dalexis-and-CTB-Locker-traffic.pcap" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732475", "to_ids": false, "type": "link", "uuid": "55473ebb-8b04-4a74-9f89-4f61950d210b", "value": "http://www.malware-traffic-analysis.net/2015/04/28/2015-04-28-Dalexis-samples.zip" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732531", "to_ids": true, "type": "ip-dst", "uuid": "55473ef3-983c-4cc0-80b5-ced1950d210b", "value": "31.170.160.229" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732531", "to_ids": true, "type": "ip-dst", "uuid": "55473ef3-4c14-48b5-a203-ced1950d210b", "value": "31.170.162.163" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732532", "to_ids": true, "type": "ip-dst", "uuid": "55473ef4-b074-4e67-9216-ced1950d210b", "value": "37.187.72.60" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732532", "to_ids": true, "type": "ip-dst", "uuid": "55473ef4-ee00-4cf7-88f4-ced1950d210b", "value": "46.19.37.108" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732532", "to_ids": true, "type": "ip-dst", "uuid": "55473ef4-b068-4793-9801-ced1950d210b", "value": "62.149.140.213" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732532", "to_ids": true, "type": "ip-dst", "uuid": "55473ef4-47d8-4705-b461-ced1950d210b", "value": "85.10.55.30" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732532", "to_ids": true, "type": "ip-dst", "uuid": "55473ef4-8d6c-4b13-9824-ced1950d210b", "value": "192.185.224.67" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-bb08-434a-a470-4086950d210b", "value": "earthfromspace.host56.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-14f0-4914-a834-4593950d210b", "value": "gkl.net76.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-2f90-4e5d-8212-48dc950d210b", "value": "volcanoscreens.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-6b7c-46e6-8b6a-4b05950d210b", "value": "ip.telize.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-b8a4-4ea0-a5a4-46ae950d210b", "value": "www.gaglianico74.it" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-7d2c-4083-9914-4723950d210b", "value": "lancia.hr" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-8b30-4e89-b079-434a950d210b", "value": "bdfschool.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732580", "to_ids": true, "type": "hostname", "uuid": "55473f24-d9bc-46a5-b590-4e7c950d210b", "value": "fizxfsi3cad3kn7v.tor2web.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732581", "to_ids": true, "type": "hostname", "uuid": "55473f25-8c94-427d-a239-4a4f950d210b", "value": "fizxfsi3cad3kn7v.onion.cab" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732700", "to_ids": true, "type": "md5", "uuid": "55473f9c-cdf0-48ef-a72e-42a0950d210b", "value": "1a9fdce6b6efd094af354a389b0e04da" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732700", "to_ids": true, "type": "md5", "uuid": "55473f9c-23f0-473b-82e9-4ccf950d210b", "value": "a1b066361440a5ff6125f15b1ba2e1b1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732700", "to_ids": true, "type": "md5", "uuid": "55473f9c-3494-4232-b25c-4b45950d210b", "value": "01f8976034223337915e4900b76f9f26" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-90b8-416f-9ee2-4145950d210b", "value": "ab9a07054a985c6ce31c7d53eee90fbe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-618c-4572-b9bf-4da8950d210b", "value": "899689538df49556197bf1bac52f1b84" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-d724-4b83-9952-4301950d210b", "value": "eea0fd780ecad755940110fc7ee6d727" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-ac3c-43e8-8277-4d20950d210b", "value": "f236e637e17bc44764e43a8041749e6c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-02e4-48d8-a743-4614950d210b", "value": "eda8075438646c617419eda13700c43a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-ac4c-4eaf-b76d-4e7e950d210b", "value": "d00861c5066289ea9cca3f0076f97681" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-ef9c-4187-b836-48c6950d210b", "value": "657e3d615bb1b6e7168319e1f9c5039f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9d-28e8-42a7-8c23-4761950d210b", "value": "b7fe085962dc7aa7622bd15c3a303b41" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732701", "to_ids": true, "type": "md5", "uuid": "55473f9e-eec0-4c6f-80c5-4926950d210b", "value": "2ba4d511e07090937b5d6305af13db68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-9bd8-4c1b-ae0b-48aa950d210b", "value": "24698aa84b14c42121f96a22fb107d00" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-938c-421c-9951-48a3950d210b", "value": "04abf53d3b4d7bb7941a5c8397594db7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-d96c-4296-9fa1-460f950d210b", "value": "b2ca48afbc0eb578a9908af8241f2ae8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-5154-4338-82df-44f9950d210b", "value": "fa43842bda650c44db99f5789ef314e3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-ccd0-4d12-996a-4d5b950d210b", "value": "802d9abf21c812501400320f2efe7040" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-e53c-4c6e-9eec-435e950d210b", "value": "0687f63ce92e57a76b990a8bd5500b69" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-b9ec-4108-aaaa-40e2950d210b", "value": "0918c8bfed6daac6b63145545d911c72" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732702", "to_ids": true, "type": "md5", "uuid": "55473f9e-be68-4e68-b576-4841950d210b", "value": "2e90e6d71e665b2a079b80979ab0e2cb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732703", "to_ids": true, "type": "md5", "uuid": "55473f9f-8ad4-499d-ac7f-4bc3950d210b", "value": "5b8a27e6f366f40cda9c2167d501552e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732703", "to_ids": true, "type": "md5", "uuid": "55473f9f-3d38-47a3-ad33-4a70950d210b", "value": "9c1acc3f27d7007a44fc0da8fceba120" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732703", "to_ids": true, "type": "md5", "uuid": "55473f9f-c5bc-4ca0-96ac-45bf950d210b", "value": "1a6b20a5636115ac8ed3c4c4dd73f6aa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732703", "to_ids": true, "type": "md5", "uuid": "55473f9f-05a8-4d12-880c-4a61950d210b", "value": "b9d19a68205f2a7e2321ca3228aa74d1" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732716", "to_ids": true, "type": "md5", "uuid": "55473fac-2268-46c8-a5b2-ce99950d210b", "value": "46838a76fbf59e9b78d684699417b216" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732716", "to_ids": true, "type": "md5", "uuid": "55473fac-9c24-424d-8b06-ce99950d210b", "value": "8f5df86fdf5f3c8e475357bab7bc38e8" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732716", "to_ids": true, "type": "md5", "uuid": "55473fac-00b8-4fd2-a9e1-ce99950d210b", "value": "59f71ef10861d1339e9765fb512d991c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732716", "to_ids": true, "type": "md5", "uuid": "55473fac-2988-4a90-94bf-ce99950d210b", "value": "0baa21fab10c7d8c64157ede39453ae5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732716", "to_ids": true, "type": "md5", "uuid": "55473fac-6e14-44d4-aea4-ce99950d210b", "value": "f953b4c8093276fbde3cfa5e63f990eb" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-3be0-4231-a30e-ce99950d210b", "value": "6580e4ee7d718421128476a1f2f09951" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-2d68-4b6d-95ae-ce99950d210b", "value": "6a15d6fa9f00d931ca95632697e5ba70" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-3fc8-48cc-b267-ce99950d210b", "value": "54c1ac0d5e8fa05255ae594adfe5706e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-2e4c-431f-aaa8-ce99950d210b", "value": "08a0c2aaf7653530322f4d7ec738a3df" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-52c8-48a2-8171-ce99950d210b", "value": "1aaecdfd929725c195a7a67fc6be9b4b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-7e44-4180-a5be-ce99950d210b", "value": "f51fcf418c973a94a7d208c3a8a30f19" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-8894-4f57-8cd6-ce99950d210b", "value": "dbea4b3fb5341ce3ca37272e2b8052ae" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-1e5c-4904-b6b3-ce99950d210b", "value": "c0dc49296b0aec09c5bfefcf4129c29b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732717", "to_ids": true, "type": "md5", "uuid": "55473fad-e9a8-4c3b-9cf7-ce99950d210b", "value": "9239ec6fe6703279e959f498919fdfb0" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-3b78-4a2b-b89a-ce99950d210b", "value": "a9d11a69c692b35235ce9c69175f0796" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-4458-49ff-9c56-ce99950d210b", "value": "bcaf9ce1881f0f282cec5489ec303585" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-394c-4124-94be-ce99950d210b", "value": "70a63f45eb84cb10ab1cc3dfb4ac8a3e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-834c-4cc2-a913-ce99950d210b", "value": "d1b1e371aebfc3d500919e9e33bcd6c1" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-747c-47c6-81e3-ce99950d210b", "value": "15a5acfbccbb80b01e6d270ea8af3789" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-ea7c-45b8-8488-ce99950d210b", "value": "fa0fe28ffe83ef3dcc5c667bf2127d4c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-558c-4c6d-a818-ce99950d210b", "value": "646640f63f327296df0767fd0c9454d4" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732718", "to_ids": true, "type": "md5", "uuid": "55473fae-5ffc-4df1-b7cc-ce99950d210b", "value": "ec872872bff91040d2bc1e4c4619cbbc" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732719", "to_ids": true, "type": "md5", "uuid": "55473faf-4980-4dac-a0b5-ce99950d210b", "value": "b8e8e3ec7f4d6efee311e36613193b8d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732719", "to_ids": true, "type": "md5", "uuid": "55473faf-1724-473b-9903-ce99950d210b", "value": "36abcedd5fb6d17038bd7069808574e4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732768", "to_ids": false, "type": "link", "uuid": "55473fe0-fc54-436f-a764-4d6c950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader:Win32/Dalexis#tab=2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732769", "to_ids": false, "type": "link", "uuid": "55473fe1-29a8-4903-b16e-40c6950d210b", "value": "https://heimdalsecurity.com/blog/ctb-locker-ransomware/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732769", "to_ids": false, "type": "link", "uuid": "55473fe1-0294-4e87-b885-4a2c950d210b", "value": "https://blogs.mcafee.com/mcafee-labs/rise-backdoor-fckq-ctb-locker" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430732769", "to_ids": false, "type": "link", "uuid": "55473fe1-4be4-4e68-97dc-4e38950d210b", "value": "https://techhelplist.com/index.php/spam-list/796-your-account-has-been-something-bad-various-malware" } ] } }