{ "Event": { "analysis": "2", "date": "2016-10-05", "extends_uuid": "", "info": "OSINT - Hades Locker Ransomware Mimics Locky", "publish_timestamp": "1479192568", "published": true, "threat_level_id": "3", "timestamp": "1479192544", "uuid": "582aae88-202c-45ef-b8e9-4e61950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#006c6c", "local": false, "name": "ecsirt:malicious-code=\"ransomware\"", "relationship_type": "" }, { "colour": "#00acd1", "local": false, "name": "veris:action:malware:variety=\"Ransomware\"", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#420053", "local": false, "name": "ms-caro-malware:malware-type=\"Ransom\"", "relationship_type": "" }, { "colour": "#39b300", "local": false, "name": "enisa:nefarious-activity-abuse=\"ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479192215", "to_ids": false, "type": "link", "uuid": "582aae97-bce0-478f-8b51-9912950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/hades-locker-ransomware-mimics-locky" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479192231", "to_ids": false, "type": "comment", "uuid": "582aaea7-f16c-415a-b96b-4dbc950d210f", "value": "Proofpoint discovered another new ransomware strain on October 4, called Hades Locker, which mimics Locky\u00e2\u20ac\u2122s ransom message. Hades Locker appears to be an evolution of Zyklon Locker and Wildfire Locker [1] which we observed using the same sending botnet (Kelihos [2]) earlier this year. The recently documented CryptFile2 [3] and MarsJoke [4] campaigns also used the same sending spam botnet and similar distribution techniques (transportation-related email lures). However, while CryptFile2 and MarsJoke campaigns targeted state and local government agencies, the current Hades Locker campaign targeted Manufacturing and Business Services verticals." }, { "category": "Payload delivery", "comment": "Update.exe (Hades Locker)", "deleted": false, "disable_correlation": false, "timestamp": "1479192257", "to_ids": true, "type": "sha256", "uuid": "582aaec1-a1e8-4dae-963c-4a28950d210f", "value": "37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809" }, { "category": "Network activity", "comment": "Hades Locker C2", "deleted": false, "disable_correlation": false, "timestamp": "1479192346", "to_ids": true, "type": "url", "uuid": "582aaf1a-2ba0-4b6e-9831-44c6950d210f", "value": "http://pfmydcsjib.ru/config.php" }, { "category": "Network activity", "comment": "Hades Locker C2", "deleted": false, "disable_correlation": false, "timestamp": "1479192346", "to_ids": true, "type": "url", "uuid": "582aaf1a-c674-4a31-8d7e-43b7950d210f", "value": "http://jdybchotfn.ru/config.php" }, { "category": "Network activity", "comment": "Payload (Hades Locker) downloaded by documents", "deleted": false, "disable_correlation": false, "timestamp": "1479192374", "to_ids": true, "type": "url", "uuid": "582aaf36-dc28-4aec-99cf-b9bb950d210f", "value": "http://185.45.193.169/update.exe" }, { "category": "Network activity", "comment": "URL in email", "deleted": false, "disable_correlation": false, "timestamp": "1479192406", "to_ids": true, "type": "url", "uuid": "582aaf56-cc40-4304-bd1d-4a2b950d210f", "value": "http://transportbedrijfvanetten.nl/downloads/levering-7834535.doc" }, { "category": "Network activity", "comment": "URL in email", "deleted": false, "disable_correlation": false, "timestamp": "1479192406", "to_ids": true, "type": "url", "uuid": "582aaf56-05dc-4c89-98e6-4a2b950d210f", "value": "http://leursmatransport.nl/downloads/levering-1245789.doc" }, { "category": "Network activity", "comment": "URL in email", "deleted": false, "disable_correlation": false, "timestamp": "1479192406", "to_ids": true, "type": "url", "uuid": "582aaf56-1ec0-454f-821a-4a2b950d210f", "value": "http://transportbedrijfbrenninkmeijer.nl/downloads/levering-739176.doc" }, { "category": "Network activity", "comment": "URL in email", "deleted": false, "disable_correlation": false, "timestamp": "1479192407", "to_ids": true, "type": "url", "uuid": "582aaf57-819c-4be7-8764-4a2b950d210f", "value": "http://breesmanstransport.nl/downloads/levering-1478529.doc" }, { "category": "Payload delivery", "comment": "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809", "deleted": false, "disable_correlation": false, "timestamp": "1479192544", "to_ids": true, "type": "sha1", "uuid": "582aafe0-7574-4768-9c87-4e6b02de0b81", "value": "68e8e1eaa7439173362ff42fec37e1149f162662" }, { "category": "Payload delivery", "comment": "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809", "deleted": false, "disable_correlation": false, "timestamp": "1479192544", "to_ids": true, "type": "md5", "uuid": "582aafe0-9d54-4194-8340-44f302de0b81", "value": "8f03cf5d3c951cf2711144e84779b590" }, { "category": "External analysis", "comment": "Update.exe (Hades Locker) - Xchecked via VT: 37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809", "deleted": false, "disable_correlation": false, "timestamp": "1479192545", "to_ids": false, "type": "link", "uuid": "582aafe1-ac98-459f-87f4-4e1902de0b81", "value": "https://www.virustotal.com/file/37004c5019db04463248da8469952af8ed742ba00cfa440dd65b2d94d0856809/analysis/1478842683/" } ] } }