{ "Event": { "analysis": "2", "date": "2018-01-29", "extends_uuid": "", "info": "OSINT - GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension", "publish_timestamp": "1519121276", "published": true, "threat_level_id": "3", "timestamp": "1519121264", "uuid": "5a8aea46-0ad4-4b8a-9cfd-445b950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#2c4f00", "name": "malware_classification:malware-category=\"Ransomware\"" }, { "colour": "#770040", "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121248", "to_ids": false, "type": "link", "uuid": "5a8aea94-20d8-420b-a52b-4155950d210f", "value": "https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121249", "to_ids": true, "type": "filename", "uuid": "5a8aebb2-8d38-4b51-8a0f-49bf950d210f", "value": "bleepingcomputer.bit" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121249", "to_ids": true, "type": "filename", "uuid": "5a8aebb3-46cc-4143-bc91-4a17950d210f", "value": "nomoreransom.bit" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121250", "to_ids": true, "type": "filename", "uuid": "5a8aebb3-909c-4690-9520-4e50950d210f", "value": "esetnod32.bit" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121250", "to_ids": true, "type": "filename", "uuid": "5a8aebb3-6b9c-4da9-b7d7-4c08950d210f", "value": "emsisoft.bit" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121250", "to_ids": true, "type": "filename", "uuid": "5a8aebb4-97e8-480d-be52-4cd7950d210f", "value": "gandcrab.bit" }, { "category": "Payload delivery", "comment": "ransomnote", "deleted": false, "disable_correlation": false, "timestamp": "1519121251", "to_ids": true, "type": "filename", "uuid": "5a8aec25-f770-4bdf-a543-4f23950d210f", "value": "GDCB-DECRYPT.txt" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519053876", "to_ids": true, "type": "md5", "uuid": "5a8aec34-8204-4027-9e22-4d3c950d210f", "value": "aedf80c426fb649bb258e430a3830d85" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519053876", "to_ids": true, "type": "md5", "uuid": "5a8aec34-1638-4675-872a-4e64950d210f", "value": "6866d8d8bf8565d94e0e1479978cf1e5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519053877", "to_ids": true, "type": "md5", "uuid": "5a8aec35-1e64-4c86-b38d-4890950d210f", "value": "379e149517f4119f2edb9676ec456ed4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1519121251", "to_ids": false, "type": "comment", "uuid": "5a8bd3ad-2570-4490-bfe3-4ec0950d210f", "value": "A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.", "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1519121257", "uuid": "fdc7c223-2171-45ac-b03d-9aaf289e0612", "ObjectReference": [ { "comment": "", "object_uuid": "fdc7c223-2171-45ac-b03d-9aaf289e0612", "referenced_uuid": "7c7e6c58-6dbb-4189-982d-3aa8636c352f", "relationship_type": "analysed-with", "timestamp": "1519121259", "uuid": "5a8bf36b-84b4-4d90-becf-48e002de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1519121254", "to_ids": true, "type": "sha1", "uuid": "5a8bf366-44d8-41b4-be9d-464902de0b81", "value": "2245bd90b753b7fd29b7218a0ef50435c64f8767" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1519121255", "to_ids": true, "type": "sha256", "uuid": "5a8bf367-ea98-415f-ac9e-466802de0b81", "value": "3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1519121255", "to_ids": true, "type": "md5", "uuid": "5a8bf367-cf20-4ee9-bc10-4dfe02de0b81", "value": "6866d8d8bf8565d94e0e1479978cf1e5" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1519121255", "uuid": "7c7e6c58-6dbb-4189-982d-3aa8636c352f", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1519121255", "to_ids": false, "type": "link", "uuid": "5a8bf367-52dc-44ee-9641-4b8a02de0b81", "value": "https://www.virustotal.com/file/3e2e881ec6fcfb6329cad95c15de4a90aef1032550176c7c7729c0a0e383c615/analysis/1518976209/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1519121256", "to_ids": false, "type": "text", "uuid": "5a8bf368-5744-4b42-9759-444302de0b81", "value": "55/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1519121256", "to_ids": false, "type": "datetime", "uuid": "5a8bf368-c0ac-437c-b853-431f02de0b81", "value": "2018-02-18T17:50:09" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1519121260", "uuid": "cd7071df-c409-4094-968c-c3c144a2a380", "ObjectReference": [ { "comment": "", "object_uuid": "cd7071df-c409-4094-968c-c3c144a2a380", "referenced_uuid": "1317f7cd-64b0-471b-be2d-fc2cd3fd851b", "relationship_type": "analysed-with", "timestamp": "1519121259", "uuid": "5a8bf36b-bbfc-4294-b2bb-4bed02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1519121257", "to_ids": true, "type": "sha1", "uuid": "5a8bf369-1e34-4201-b10c-421902de0b81", "value": "0876ad729d79da65ed4e72966d9f9d209394ebfa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1519121257", "to_ids": true, "type": "sha256", "uuid": "5a8bf369-074c-4c57-8e9f-417c02de0b81", "value": "03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1519121258", "to_ids": true, "type": "md5", "uuid": "5a8bf36a-1080-41c3-ae9a-41c202de0b81", "value": "aedf80c426fb649bb258e430a3830d85" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1519121258", "uuid": "1317f7cd-64b0-471b-be2d-fc2cd3fd851b", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1519121258", "to_ids": false, "type": "link", "uuid": "5a8bf36a-16d0-4cb0-a81e-4c2f02de0b81", "value": "https://www.virustotal.com/file/03d68025f52d0930a99a67264a3ddad43d0a8bc9ffa0503e603311a43da1ca28/analysis/1518976703/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1519121259", "to_ids": false, "type": "text", "uuid": "5a8bf36b-fd30-42a3-b727-4db202de0b81", "value": "49/68" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1519121259", "to_ids": false, "type": "datetime", "uuid": "5a8bf36b-b100-45cf-8bdb-40ee02de0b81", "value": "2018-02-18T17:58:23" } ] } ] } }