{ "Event": { "analysis": "2", "date": "2017-08-31", "extends_uuid": "", "info": "OSINT - RIG exploit kit distributes Princess ransomware", "publish_timestamp": "1514467877", "published": true, "threat_level_id": "3", "timestamp": "1513738831", "uuid": "5a3797c2-e770-4722-9435-4350950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:ransomware=\"Princess Locker\"", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#2c4f00", "local": false, "name": "malware_classification:malware-category=\"Ransomware\"", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1513594183", "to_ids": false, "type": "link", "uuid": "5a3797dd-f168-4087-b939-4ceb950d210f", "value": "https://blog.malwarebytes.com/cybercrime/2017/08/rig-exploit-kit-distributes-princess-ransomware/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1513594183", "to_ids": false, "type": "comment", "uuid": "5a3797e9-6a14-49f6-939e-4b36950d210f", "value": "We have identified a new drive-by download campaign that distributes the Princess ransomware (AKA PrincessLocker), leveraging compromised websites and the RIG exploit kit. This is somewhat of a change for those tracking malvertising campaigns and their payloads.\r\n\r\nWe had analyzed the PrincessLocker ransomware last November and pointed out that despite similarities with Cerber\u00e2\u20ac\u2122s onion page, the actual code was much different. A new payment page seemed to have been seen in underground forums and is now being used with attacks in the wild.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "RIG EK gate", "deleted": false, "disable_correlation": false, "timestamp": "1513594183", "to_ids": true, "type": "ip-dst", "uuid": "5a3798b2-f484-4eec-9213-4d50950d210f", "value": "185.198.164.152" }, { "category": "Network activity", "comment": "RIG EK IP address", "deleted": false, "disable_correlation": false, "timestamp": "1513594183", "to_ids": true, "type": "ip-dst", "uuid": "5a3798b2-4c88-45c5-8a28-4832950d210f", "value": "188.225.84.28" }, { "category": "Payload delivery", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "timestamp": "1513593010", "to_ids": true, "type": "sha256", "uuid": "5a3798b2-25d0-43a4-b9b8-4064950d210f", "value": "c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7" }, { "category": "Network activity", "comment": "PrincessLocker payment page", "deleted": false, "disable_correlation": false, "timestamp": "1513594183", "to_ids": true, "type": "domain", "uuid": "5a3798b2-c160-4334-bfa2-4c41950d210f", "value": "royall6qpvndxlsj.onion" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1513594186", "uuid": "65a56413-80b7-49b7-83e7-1766f5fcb8f4", "ObjectReference": [ { "comment": "", "object_uuid": "65a56413-80b7-49b7-83e7-1766f5fcb8f4", "referenced_uuid": "fb3dcb25-eb21-42c9-9dbd-011d260655cd", "relationship_type": "analysed-with", "timestamp": "1514467877", "uuid": "5a379d48-07b0-4c47-a615-459f02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1513594184", "to_ids": true, "type": "sha1", "uuid": "5a379d48-e4fc-4cd8-ac5a-483902de0b81", "value": "5e30397f36df1e828ce705b7ec0ce62916451aae" }, { "category": "Payload delivery", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1513594184", "to_ids": true, "type": "md5", "uuid": "5a379d48-9184-4583-b5da-4bbf02de0b81", "value": "e7412ad8301456f3f4e32ab2d2c6f3f7" }, { "category": "Payload delivery", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1513594184", "to_ids": true, "type": "sha256", "uuid": "5a379d48-f208-4aeb-8a24-4eaa02de0b81", "value": "c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1513594184", "uuid": "fb3dcb25-eb21-42c9-9dbd-011d260655cd", "Attribute": [ { "category": "External analysis", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1513594184", "to_ids": false, "type": "link", "uuid": "5a379d48-c620-4291-9f33-4d4d02de0b81", "value": "https://www.virustotal.com/file/c61f4c072bb1e3c6281a9799c1a3902f35dba652756fe96a97e60d0097a3f9b7/analysis/1505118111/" }, { "category": "Other", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1513594184", "to_ids": false, "type": "text", "uuid": "5a379d48-d8d8-4102-8582-45e402de0b81", "value": "48/63" }, { "category": "Other", "comment": "PrincessLocker binary", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1513594184", "to_ids": false, "type": "datetime", "uuid": "5a379d48-f06c-4180-b1b1-40be02de0b81", "value": "2017-09-11T08:21:51" } ] } ] } }