286 lines
No EOL
11 KiB
JSON
286 lines
No EOL
11 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-04-12",
|
|
"extends_uuid": "",
|
|
"info": "Rokku Ransomware shows possible link with Chimera",
|
|
"publish_timestamp": "1460444472",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1460444381",
|
|
"uuid": "570c9b9a-dc20-448a-8f24-443f950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444092",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "570c9bbc-3e44-4a98-b0d3-4aea950d210f",
|
|
"value": "Rokku is yet another ransomware, discovered in recent weeks. Currently, it\u00e2\u20ac\u2122s most common distribution method is spam where a malicious executable is dropped by a VB script belonging to the e-mail\u00e2\u20ac\u2122s attachment.\r\n\r\nThe building blocks of Rokku reminded us of the Chimera ransomware. That\u00e2\u20ac\u2122s why we decided to take a closer look, not only at the internal structure of this malware but also at the similarities and differences between these two products."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444104",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9bc8-fcd0-4608-b703-4848950d210f",
|
|
"value": "https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable (malware)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444173",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "570c9c0d-b684-4990-8b90-4dcc950d210f",
|
|
"value": "97512f4617019c907cd0f88193039e7c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (malware)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444173",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "570c9c0d-bc48-4fc6-b1dc-4f17950d210f",
|
|
"value": "5a0e3a6e3106e754381bd1cc3295c97f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload: encryptor.dll (malware) - the analysis",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444173",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "570c9c0d-addc-4cd3-85fd-4956950d210f",
|
|
"value": "be6552aed5e7509b3b539cef8a965131"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable: decryptor.exe (decryptor)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444235",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "570c9c4b-6ad4-427e-8c07-489e950d210f",
|
|
"value": "82fea20bb4c96050b4cf55f83de0f3e6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (decryptor)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444235",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "570c9c4b-53c4-464c-9303-4c91950d210f",
|
|
"value": "1be4a0932a66ebdb9ede56214d8ccdf9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Finally, removing backups and stopping backup services is performed \u00e2\u20ac\u201c by execution of the following commands:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444292",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "570c9c84-3d14-4715-b999-48cf950d210f",
|
|
"value": "wmic shadowcopy delete /nointeractive\r\nvssadmin delete shadows /all /quiet\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\services\\VSS\" /v Start /t REG_DWORD /d 4 /f\r\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\" /v DisableSR /t REG_DWORD /d 1 /f\r\nnet stop vss\r\nnet stop swprv\r\nnet stop srservice"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444381",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "570c9cdd-39d8-4f9e-802c-402702de0b81",
|
|
"value": "09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (decryptor) - Xchecked via VT: 1be4a0932a66ebdb9ede56214d8ccdf9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444381",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "570c9cdd-79fc-450e-86b0-486a02de0b81",
|
|
"value": "27e46208f348de4df378c8646c14f499d2290793"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444382",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9cde-1aac-4cde-b159-451302de0b81",
|
|
"value": "https://www.virustotal.com/file/09eecd70914e38a1ee83295db5834cfdf848bab987a51afa6ed1c3b2dff027fc/analysis/1459878434/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444382",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "570c9cde-b944-4147-a64c-42fd02de0b81",
|
|
"value": "e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable: decryptor.exe (decryptor) - Xchecked via VT: 82fea20bb4c96050b4cf55f83de0f3e6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444382",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "570c9cde-06ac-4ace-8186-4ff702de0b81",
|
|
"value": "035af05addaf8cf9c103bbb27b355477ce336cc1"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444383",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9cdf-4e74-4cf3-b93a-4e9c02de0b81",
|
|
"value": "https://www.virustotal.com/file/e477e3337636b44477bb2feaf4016a0d2ad9eca273b0c2ef9b55ccb2c9902d87/analysis/1459878217/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444383",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "570c9cdf-7d2c-4580-bef9-44be02de0b81",
|
|
"value": "186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload: encryptor.dll (malware) - the analysis - Xchecked via VT: be6552aed5e7509b3b539cef8a965131",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444383",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "570c9cdf-e470-4fbf-b638-46eb02de0b81",
|
|
"value": "da1ad69f282ae49a0af6aa7bef190f434ac18c7b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444384",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9ce0-0140-46c7-b4b9-4a6402de0b81",
|
|
"value": "https://www.virustotal.com/file/186073cd4539725cbc26f8dac867c97e21d4c88836305a16acf50a70d6121f51/analysis/1459758054/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444384",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "570c9ce0-f1b0-4d89-b14f-4ff202de0b81",
|
|
"value": "1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "UPX layer removed (malware) - Xchecked via VT: 5a0e3a6e3106e754381bd1cc3295c97f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444384",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "570c9ce0-92c4-4f1c-a35c-403102de0b81",
|
|
"value": "49239500b0510ce7643c48ebfaf6c9e35aa1cce5"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444385",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9ce1-ac20-4b2a-8b30-44e702de0b81",
|
|
"value": "https://www.virustotal.com/file/1c40b5c96d13580f1dfa38f59f177502349aa1c962ff95559e0ec805155eb983/analysis/1459828258/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444385",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "570c9ce1-c698-48aa-b27a-46e602de0b81",
|
|
"value": "438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "original executable (malware) - Xchecked via VT: 97512f4617019c907cd0f88193039e7c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444385",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "570c9ce1-5af8-482a-a990-46c702de0b81",
|
|
"value": "24cfa261ee30f697e7d1e2215eee1c21eebf4579"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460444385",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570c9ce1-6d14-459a-8a69-4f7502de0b81",
|
|
"value": "https://www.virustotal.com/file/438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499/analysis/1459900992/"
|
|
}
|
|
]
|
|
}
|
|
} |