{ "Event": { "analysis": "2", "date": "2016-04-22", "extends_uuid": "", "info": "OSINT - New Downloader for Locky", "publish_timestamp": "1462598116", "published": true, "threat_level_id": "3", "timestamp": "1461829032", "uuid": "5720bf21-9d4c-40b2-9088-45e6950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#006c6c", "name": "ecsirt:malicious-code=\"ransomware\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461763888", "to_ids": false, "type": "link", "uuid": "5720bf30-342c-46e3-bbdd-49d2950d210f", "value": "https://www.fireeye.com/blog/threat-research/2016/04/new_downloader_forl.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461763902", "to_ids": false, "type": "comment", "uuid": "5720bf3e-32fc-4d28-9a3a-45cc950d210f", "value": "Through DTI Intelligence analysis, We have been observing Locky malware rise to fame recently. Locky is ransomware that is aggressively distributed via downloaders attached in spam emails, and it may have surpassed the Dridex banking trojan in popularity. In previous campaigns, the ransomware was downloaded by a macro-based downloader or a JavaScript downloader. However, in April 2016, FireEye Labs observed a new development in the way this ransomware is downloaded onto a compromised system." }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461763998", "to_ids": false, "type": "email-subject", "uuid": "5720bf9e-b3fc-42ce-a32f-4d83950d210f", "value": "Photos" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461764018", "to_ids": false, "type": "email-attachment", "uuid": "5720bfb2-7df0-4ffe-af65-472b950d210f", "value": "Photos.zip" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764038", "to_ids": true, "type": "url", "uuid": "5720bfc6-86bc-4717-b4b8-4d86950d210f", "value": "http://mrsweeter.ru/87h78rf33g" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764150", "to_ids": true, "type": "sha256", "uuid": "5720c036-f4b8-497c-ad91-45dc950d210f", "value": "7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764150", "to_ids": true, "type": "sha256", "uuid": "5720c036-f710-4da1-8d4c-4a7c950d210f", "value": "9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764172", "to_ids": true, "type": "md5", "uuid": "5720c04c-a8bc-451d-9fe4-4e48950d210f", "value": "b0ca8c5881c1d27684c23db7a88d11e1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764172", "to_ids": true, "type": "md5", "uuid": "5720c04c-3a88-4a9e-b201-4d39950d210f", "value": "c5ad81d8d986c92f90d0462bc06ac9c6" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764173", "to_ids": true, "type": "md5", "uuid": "5720c04d-1d90-42ff-a0ef-4908950d210f", "value": "ebf1f8951ec79f2e6bf40e6981c7dbfc" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764173", "to_ids": true, "type": "sha256", "uuid": "5720c04d-54fc-4671-9e61-4f48950d210f", "value": "357c162a35c3623d1a1791c18e9f56e72bcd76f6ef9f4cbcf5952f62b9bc8a08" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764173", "to_ids": true, "type": "md5", "uuid": "5720c04d-3fc0-4c67-9c91-47a8950d210f", "value": "c325dcf4c6c1e2b62a7c5b1245985083" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764348", "to_ids": true, "type": "url", "uuid": "5720c0fc-b0d8-4fe9-bcc8-41b4950d210f", "value": "http://185.130.7.22/files/sBpFSa.exe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764349", "to_ids": true, "type": "url", "uuid": "5720c0fd-a6a4-46e2-9458-4a9c950d210f", "value": "http://185.130.7.22/files/WRwe3X.exe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764349", "to_ids": true, "type": "url", "uuid": "5720c0fd-5da4-4b5f-95ea-4aeb950d210f", "value": "http://slater.chat.ru/gvtg77996" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764349", "to_ids": true, "type": "url", "uuid": "5720c0fd-4d60-4474-b651-40ce950d210f", "value": "http://hundeschulegoerg.de/gvtg77996" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764350", "to_ids": true, "type": "url", "uuid": "5720c0fe-dd94-46d5-a54a-4777950d210f", "value": "http://buhjolk.at/files/dIseJh.exe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461764350", "to_ids": true, "type": "url", "uuid": "5720c0fe-8dcc-4d81-8b03-4f6c950d210f", "value": "http://buhjolk.at/files/aY5TFn.exe" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10", "deleted": false, "disable_correlation": false, "timestamp": "1461770643", "to_ids": true, "type": "sha1", "uuid": "5720d993-f430-46d3-8fa5-0fab02de0b81", "value": "39ad2102512f2d3b30e038354289b5b734d0d33f" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10", "deleted": false, "disable_correlation": false, "timestamp": "1461770644", "to_ids": true, "type": "md5", "uuid": "5720d994-4600-4933-8dd4-0fab02de0b81", "value": "4df0079da5e37378b15bacc9e0631c33" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: 9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10", "deleted": false, "disable_correlation": false, "timestamp": "1461770644", "to_ids": false, "type": "link", "uuid": "5720d994-7ca4-455e-9f2e-0fab02de0b81", "value": "https://www.virustotal.com/file/9a0788ba4e0666e082e18d61fad0fa9d985e1c3223f910a50ec3834ba44cce10/analysis/1460046851/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660", "deleted": false, "disable_correlation": false, "timestamp": "1461770645", "to_ids": true, "type": "sha1", "uuid": "5720d995-11b0-43a0-b5cc-0fab02de0b81", "value": "626d2953e329debdd9ad3feda65341413094fed6" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660", "deleted": false, "disable_correlation": false, "timestamp": "1461770645", "to_ids": true, "type": "md5", "uuid": "5720d995-8004-4dda-a959-0fab02de0b81", "value": "829653e8f2a9453b440ca11975c9aaa0" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: 7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660", "deleted": false, "disable_correlation": false, "timestamp": "1461770645", "to_ids": false, "type": "link", "uuid": "5720d995-3140-46e7-b65a-0fab02de0b81", "value": "https://www.virustotal.com/file/7b45833d87d8bd38c44cbaeece65dbbd04e12b8c1ef81a383cf7f0fce9832660/analysis/1459558891/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083", "deleted": false, "disable_correlation": false, "timestamp": "1461770646", "to_ids": true, "type": "sha256", "uuid": "5720d996-dce4-4184-ad02-0fab02de0b81", "value": "f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083", "deleted": false, "disable_correlation": false, "timestamp": "1461770646", "to_ids": true, "type": "sha1", "uuid": "5720d996-99a0-4376-a595-0fab02de0b81", "value": "e701ff37e06e63232c0c47ae5867e7b05536ee36" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: c325dcf4c6c1e2b62a7c5b1245985083", "deleted": false, "disable_correlation": false, "timestamp": "1461770647", "to_ids": false, "type": "link", "uuid": "5720d997-a6e8-44a7-b706-0fab02de0b81", "value": "https://www.virustotal.com/file/f6c463bbe4f5da7b0ce38e6b76cd1d687964bc787b63bb7a2338d36ef6c3a360/analysis/1461736669/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc", "deleted": false, "disable_correlation": false, "timestamp": "1461770647", "to_ids": true, "type": "sha256", "uuid": "5720d997-6b7c-4b03-a65b-0fab02de0b81", "value": "a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc", "deleted": false, "disable_correlation": false, "timestamp": "1461770648", "to_ids": true, "type": "sha1", "uuid": "5720d998-7e78-4485-91c8-0fab02de0b81", "value": "b3a7f553c32a551786d873fa26047170f6f9c2e1" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: ebf1f8951ec79f2e6bf40e6981c7dbfc", "deleted": false, "disable_correlation": false, "timestamp": "1461770648", "to_ids": false, "type": "link", "uuid": "5720d998-f688-4bcc-88e6-0fab02de0b81", "value": "https://www.virustotal.com/file/a3d090f64b9dbca420f232966d65ecdca333cb497308cea94477e5219af685ae/analysis/1461571429/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6", "deleted": false, "disable_correlation": false, "timestamp": "1461770648", "to_ids": true, "type": "sha256", "uuid": "5720d998-d3b0-4521-ae7a-0fab02de0b81", "value": "5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6", "deleted": false, "disable_correlation": false, "timestamp": "1461770649", "to_ids": true, "type": "sha1", "uuid": "5720d999-bb0c-4cf0-893b-0fab02de0b81", "value": "21ac04e0d5acff88c83151a0e774001c0c06a744" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: c5ad81d8d986c92f90d0462bc06ac9c6", "deleted": false, "disable_correlation": false, "timestamp": "1461770649", "to_ids": false, "type": "link", "uuid": "5720d999-1650-4442-aca5-0fab02de0b81", "value": "https://www.virustotal.com/file/5d6ddb8458ee5ab99f3e7d9a21490ff4e5bc9808e18b9e20b6dc2c5b27927ba1/analysis/1460448282/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1", "deleted": false, "disable_correlation": false, "timestamp": "1461770650", "to_ids": true, "type": "sha256", "uuid": "5720d99a-15e8-4e7a-9fe5-0fab02de0b81", "value": "e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1", "deleted": false, "disable_correlation": false, "timestamp": "1461770651", "to_ids": true, "type": "sha1", "uuid": "5720d99b-5644-4574-9a56-0fab02de0b81", "value": "b85a45350bc7c98bb9bae572cc861af51789ce69" }, { "category": "External analysis", "comment": "Imported via the freetext import. - Xchecked via VT: b0ca8c5881c1d27684c23db7a88d11e1", "deleted": false, "disable_correlation": false, "timestamp": "1461770651", "to_ids": false, "type": "link", "uuid": "5720d99b-82fc-49a4-9701-0fab02de0b81", "value": "https://www.virustotal.com/file/e4c4e5337fa14ac8eb38376ec069173481f186692586edba805406fa756544d9/analysis/1461052381/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461829031", "to_ids": true, "type": "domain", "uuid": "5721bda7-9dfc-4984-b012-4e32950d210f", "value": "slater.chat.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461829030", "to_ids": true, "type": "domain", "uuid": "5721bda6-8408-401a-96fe-40f3950d210f", "value": "hundeschulegoerg.de" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461829029", "to_ids": true, "type": "ip-dst", "uuid": "5721bda5-90e4-460c-b362-4667950d210f", "value": "185.130.7.22" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461829030", "to_ids": true, "type": "domain", "uuid": "5721bda6-4520-4e2d-9136-4bd3950d210f", "value": "buhjolk.at" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461829031", "to_ids": true, "type": "domain", "uuid": "5721bda7-d424-4f46-8138-4133950d210f", "value": "mrsweeter.ru" } ] } }