adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5915b22e-c3e8-4f13-9449-7f3fc0a80a8e.json

954 lines
No EOL
42 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "1",
"date": "2017-05-12",
"extends_uuid": "",
"info": "Ransomware spreading through SMB attacking multiple companies",
"publish_timestamp": "1602320841",
"published": true,
"threat_level_id": "3",
"timestamp": "1588338617",
"uuid": "5915b22e-c3e8-4f13-9449-7f3fc0a80a8e",
"Orgc": {
"name": "INCIBE",
"uuid": "56fa4fe4-f528-4480-8332-1ba3c0a80a8c"
},
"Tag": [
{
"colour": "#2c4f00",
"local": false,
"name": "malware_classification:malware-category=\"Ransomware\"",
"relationship_type": ""
},
{
"colour": "#3f7f00",
"local": false,
"name": "circl:incident-classification=\"vulnerability\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:ransomware=\"WannaCry\"",
"relationship_type": ""
},
{
"colour": "#00fff3",
"local": false,
"name": "Trj=Doublepulsar",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:tool=\"ETERNALBLUE\"",
"relationship_type": ""
},
{
"colour": "#ef1515",
"local": false,
"name": "Symantec",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa",
"deleted": false,
"disable_correlation": false,
"timestamp": "1588084147",
"to_ids": false,
"type": "link",
"uuid": "5915b3c2-fcc0-49fb-be03-7ed3c0a80a8e",
"value": "https://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1588084139",
"to_ids": false,
"type": "link",
"uuid": "5915b3e4-5928-485f-9795-565fc0a80a8e",
"value": "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494634206",
"to_ids": false,
"type": "comment",
"uuid": "5915b926-baf4-4bc1-b930-7f3ec0a80a8e",
"value": "Performs connections to tor network"
},
{
"category": "Payload delivery",
"comment": "taskdl.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013291",
"to_ids": true,
"type": "md5",
"uuid": "5915b282-0bb4-4057-ab3a-7ed3c0a80a8e",
"value": "4fef5e34143e646dbf9907c4374276f5"
},
{
"category": "Payload delivery",
"comment": "taskse.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013287",
"to_ids": true,
"type": "md5",
"uuid": "5915b30b-6f00-433e-9c26-7f3fc0a80a8e",
"value": "8495400f199ac77853c53b5a3f278f3e"
},
{
"category": "Payload delivery",
"comment": "taskdl.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1588338617",
"to_ids": true,
"type": "sha1",
"uuid": "5915b282-b5a4-448f-ba81-7ed3c0a80a8e",
"value": "47a9ad4125b6bd7c55e4e7da251e23f089407b8f"
},
{
"category": "Payload delivery",
"comment": "taskse.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013306",
"to_ids": true,
"type": "sha1",
"uuid": "5915b30b-b388-4106-b603-7f3fc0a80a8e",
"value": "be5d6279874da315e3080b06083757aad9b32c23"
},
{
"category": "Payload delivery",
"comment": "taskdl.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013314",
"to_ids": true,
"type": "sha256",
"uuid": "5915b282-27a8-4aa2-b550-7ed3c0a80a8e",
"value": "4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79"
},
{
"category": "Payload delivery",
"comment": "wannacry.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013318",
"to_ids": true,
"type": "sha256",
"uuid": "5915b2f7-7298-4fa9-af0b-557ec0a80a8e",
"value": "ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa"
},
{
"category": "Payload delivery",
"comment": "taskse.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013321",
"to_ids": true,
"type": "sha256",
"uuid": "5915b30c-5670-438a-81ad-7f3fc0a80a8e",
"value": "2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d"
},
{
"category": "Payload delivery",
"comment": "u.wnry",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013326",
"to_ids": true,
"type": "sha256",
"uuid": "5915b33e-bf0c-49c0-bdf9-5582c0a80a8e",
"value": "b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25"
},
{
"category": "Artifacts dropped",
"comment": "https://twitter.com/gN3mes1s/status/863149075159543808",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494633160",
"to_ids": true,
"type": "mutex",
"uuid": "59164ac8-180c-419c-bf20-0387c0a80a8e",
"value": "MsWinZonesCacheCounterMutexA"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1588084145",
"to_ids": false,
"type": "link",
"uuid": "59164b00-ea34-4a56-b2e3-7f3ec0a80a8e",
"value": "https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168"
},
{
"category": "Network activity",
"comment": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013257",
"to_ids": true,
"type": "domain",
"uuid": "59164b98-41d4-4fa5-85d4-7f3fc0a80a8e",
"value": "gx7ekbenv2riucmf.onion"
},
{
"category": "Network activity",
"comment": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013260",
"to_ids": true,
"type": "domain",
"uuid": "59164b98-4350-4c3e-a5a2-7f3fc0a80a8e",
"value": "57g7spgrzlojinas.onion"
},
{
"category": "Network activity",
"comment": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013265",
"to_ids": true,
"type": "domain",
"uuid": "59164b99-5768-454a-b81b-7f3fc0a80a8e",
"value": "xxlvbrloxvriy2c5.onion"
},
{
"category": "Network activity",
"comment": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013269",
"to_ids": true,
"type": "domain",
"uuid": "59164b99-d354-4572-8500-7f3fc0a80a8e",
"value": "76jdd2ir2embyv47.onion"
},
{
"category": "Network activity",
"comment": "C&C tor servers - https://twitter.com/hackerfantastic/status/863115568181850113",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013272",
"to_ids": true,
"type": "domain",
"uuid": "59164b99-d7f0-4703-87c8-7f3fc0a80a8e",
"value": "cwwnhwhlz52maqm7.onion"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "filename",
"uuid": "5917867d-0130-4055-b361-43f4c0a80a8e",
"value": "176641494574290.bat"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "filename",
"uuid": "5917867d-caf8-4e4c-8b5d-43f4c0a80a8e",
"value": "@Please_Read_Me@.txt"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "filename",
"uuid": "5917867d-1fac-4084-bb8b-43f4c0a80a8e",
"value": "@WanaDecryptor@.exe"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "filename",
"uuid": "5917867d-ad24-4b97-a77a-43f4c0a80a8e",
"value": "@WanaDecryptor@.exe.lnk"
},
{
"category": "Payload delivery",
"comment": "(Older variant) - https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "filename",
"uuid": "5917867d-8cb8-4905-93f0-43f4c0a80a8e",
"value": "Please Read Me!.txt"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013277",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-db5c-4ca5-8aa8-43f4c0a80a8e",
"value": "%WINDIR%\\tasksche.exe"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-b8b4-456a-9098-43f4c0a80a8e",
"value": "%WINDIR%\\qeriuwjhrf"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-9c90-4715-ae88-43f4c0a80a8e",
"value": "131181494299235.bat"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-4b3c-47f8-978a-43f4c0a80a8e",
"value": "217201494590800.bat"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": false,
"type": "filename",
"uuid": "5917867e-bf70-410e-a68c-43f4c0a80a8e",
"value": "[0-9]{15}.bat"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-6ebc-425a-beae-43f4c0a80a8e",
"value": "!WannaDecryptor!.exe.lnk"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-6488-42f1-abb6-43f4c0a80a8e",
"value": "00000000.pky"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-8648-438d-9087-43f4c0a80a8e",
"value": "00000000.eky"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-ad3c-48eb-afa9-43f4c0a80a8e",
"value": "00000000.res"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713982",
"to_ids": true,
"type": "filename",
"uuid": "5917867e-72fc-4114-b3f2-43f4c0a80a8e",
"value": "%WINDIR%\\system32\\taskdl.exe"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713981",
"to_ids": true,
"type": "md5",
"uuid": "5917867d-791c-4fd8-a73e-43f4c0a80a8e",
"value": "fefe6b30d0819f1a1775e14730a10e0e"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-9470-43b7-acbe-43f2c0a80a8e",
"value": "85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-f5a4-4f64-bfb0-43f2c0a80a8e",
"value": "3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713742",
"to_ids": true,
"type": "sha256",
"uuid": "5917858e-99d8-458d-96cb-43f2c0a80a8e",
"value": "dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713743",
"to_ids": true,
"type": "sha256",
"uuid": "5917858f-5e10-4534-b16f-43f2c0a80a8e",
"value": "201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013334",
"to_ids": true,
"type": "sha256",
"uuid": "5917858f-9c64-47de-8999-43f2c0a80a8e",
"value": "c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013331",
"to_ids": true,
"type": "sha256",
"uuid": "5917858f-c9d4-4db1-9950-43f2c0a80a8e",
"value": "09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713743",
"to_ids": true,
"type": "sha256",
"uuid": "5917858f-e220-4492-a1e2-43f2c0a80a8e",
"value": "aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713744",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-2db8-432a-8ca9-43f2c0a80a8e",
"value": "21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713744",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-10a8-4cc1-927b-43f2c0a80a8e",
"value": "2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013339",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-80e0-4c92-a255-43f2c0a80a8e",
"value": "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013343",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-b68c-4f8c-8b10-43f2c0a80a8e",
"value": "f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013346",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-2638-4f4e-b40e-43f2c0a80a8e",
"value": "4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013349",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-f04c-46b6-97db-43f2c0a80a8e",
"value": "9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013352",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-7ea0-4bfa-abb8-43f2c0a80a8e",
"value": "78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013354",
"to_ids": true,
"type": "sha256",
"uuid": "59178590-8f04-4e97-80dd-43f2c0a80a8e",
"value": "be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713758",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-0ed0-4445-be26-43f2c0a80a8e",
"value": "5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713758",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-0268-488a-afa9-43f2c0a80a8e",
"value": "76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713758",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-f96c-4d4b-b388-43f2c0a80a8e",
"value": "fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013363",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-21c8-4d66-92c2-43f2c0a80a8e",
"value": "eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713758",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-3e7c-4c80-ae7b-43f2c0a80a8e",
"value": "043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013365",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-5aa8-455e-8ebc-43f2c0a80a8e",
"value": "57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013368",
"to_ids": true,
"type": "sha256",
"uuid": "5917859e-96a0-47c6-8a1b-43f2c0a80a8e",
"value": "ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-0430-4db2-9490-43f2c0a80a8e",
"value": "f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-da0c-494e-b6da-43f2c0a80a8e",
"value": "3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-9514-44a9-8dbb-43f2c0a80a8e",
"value": "9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1497013372",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-ed1c-4e2b-945d-43f2c0a80a8e",
"value": "5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec"
},
{
"category": "Payload delivery",
"comment": "https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494713767",
"to_ids": true,
"type": "sha256",
"uuid": "591785a7-22a8-42e2-be59-43f2c0a80a8e",
"value": "12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b"
},
{
"category": "Artifacts dropped",
"comment": "https://github.com/felmoltor/rules/blob/master/malware/malw_ms17-010_wannacrypt.yar",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494766382",
"to_ids": true,
"type": "yara",
"uuid": "5918532e-a4a0-4e26-b64e-32f8c0a80a8e",
"value": "/*\r\n This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.\r\n\r\n*/\r\n\r\nimport \"pe\"\r\n\r\nrule MS17_010_WanaCry_worm {\r\n\tmeta:\r\n\t\tdescription = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n\t\tauthor = \"Felipe Molina (@felmoltor)\"\r\n\t\treference = \"https://www.exploit-db.com/exploits/41987/\"\r\n\t\tdate = \"2017/05/12\"\r\n\tstrings:\r\n\t\t$ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n\t\t$ms17010_str2=\"LANMAN1.0\"\r\n\t\t$ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n\t\t$ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n\t\t$ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n\t\t$wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n\t\t$wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n\t\t$wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n\tcondition:\r\n\t\tall of them\r\n}"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495030955",
"to_ids": false,
"type": "hostname",
"uuid": "591854fd-1594-4719-9c4d-32fac0a80a8e",
"value": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed. https://twitter.com/msuiche/status/863730377642442752",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495030911",
"to_ids": false,
"type": "hostname",
"uuid": "591854fe-ad74-44ca-a8e1-32fac0a80a8e",
"value": "www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
},
{
"category": "Persistence mechanism",
"comment": "https://blog.fox-it.com/2017/05/13/faq-on-the-wanacry-ransomware-outbreak/",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494767166",
"to_ids": true,
"type": "regkey|value",
"uuid": "5918563e-ba80-4fb7-a058-32fbc0a80a8e",
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\\|\\tasksche.exe"
},
{
"category": "Payload delivery",
"comment": "ifferfsod\u00c3\u00a2\u00e2\u201a\u00ac\u00c2\u00a6 variant",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494790951",
"to_ids": true,
"type": "sha256",
"uuid": "5918b327-f48c-44b9-8dc7-32fac0a80a8e",
"value": "32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf"
},
{
"category": "Payload delivery",
"comment": "Worm-only variant detected by Kaspersky (encryptor is broken) - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494791292",
"to_ids": true,
"type": "sha256",
"uuid": "5918b47c-1e74-46be-b9a8-32f8c0a80a8e",
"value": "07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd"
},
{
"category": "Artifacts dropped",
"comment": "Stage2 dropped by worm-only variant - https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494793034",
"to_ids": true,
"type": "sha256",
"uuid": "5918bb4a-68a8-4ddc-a39d-5dccc0a80a8e",
"value": "2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd"
},
{
"category": "Payload delivery",
"comment": "diskpart.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1494844950",
"to_ids": true,
"type": "sha256",
"uuid": "59198616-f304-4e1a-9bab-3a1dc0a80a8e",
"value": "55454390f7be33ab5c11b5e0683800dd9a892ce136f1962b0989526fff5592d5"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495030793",
"to_ids": false,
"type": "hostname",
"uuid": "591c5c09-ffd8-410e-9347-30b5c0a80a8e",
"value": "www.ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495030793",
"to_ids": false,
"type": "hostname",
"uuid": "591c5c09-71b4-486b-99ca-30b5c0a80a8e",
"value": "www.lazarusse.suiche.sdfjhgosurijfaqwqwqrgwea.com"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495030794",
"to_ids": false,
"type": "hostname",
"uuid": "591c5c0a-d954-4b78-b7fe-30b5c0a80a8e",
"value": "www.iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
},
{
"category": "Network activity",
"comment": "Killswitch domain. Direct access must be allowed",
"deleted": false,
"disable_correlation": false,
"timestamp": "1495034940",
"to_ids": false,
"type": "hostname",
"uuid": "591c6c3c-d80c-4ccc-8138-30b6c0a80a8e",
"value": "www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb.com"
},
{
"category": "Payload installation",
"comment": "Yara rule Wanna_Cry_Ransomware_Generic",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332752",
"to_ids": false,
"type": "yara",
"uuid": "5c49aed0-fff8-43b4-9172-0ad30a646538",
"value": "rule Wanna_Cry_Ransomware_Generic {\r\n meta:\r\n description = \"Detects WannaCry Ransomware on disk and in virtual page\"\r\n author = \"US-CERT Code Analysis Team\"\r\n reference = \"not set\" \r\n date = \"2017/05/12\"\r\n hash0 = \"4DA1F312A214C07143ABEEAFB695D904\"\r\n \r\n strings:\r\n $s0 = {410044004D0049004E0024}\r\n $s1 = \"WannaDecryptor\"\r\n $s2 = \"WANNACRY\"\r\n $s3 = \"Microsoft Enhanced RSA and AES Cryptographic\"\r\n $s4 = \"PKS\"\r\n $s5 = \"StartTask\"\r\n $s6 = \"wcry@123\"\r\n $s7 = {2F6600002F72}\r\n $s8 = \"unzip 0.15 Copyrigh\"\r\n\r\n condition:\r\n $s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule MS17_010_WanaCry_worm",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332767",
"to_ids": false,
"type": "yara",
"uuid": "5c49aedf-b310-40b5-ba84-0ac40a646538",
"value": "rule MS17_010_WanaCry_worm {\r\n meta:\r\n description = \"Worm exploiting MS17-010 and dropping WannaCry Ransomware\"\r\n author = \"Felipe Molina (@felmoltor)\"\r\n reference = \"https://www.exploit-db.com/exploits/41987/\"\r\n date = \"2017/05/12\"\r\n\r\n strings:\r\n $ms17010_str1=\"PC NETWORK PROGRAM 1.0\"\r\n $ms17010_str2=\"LANMAN1.0\"\r\n $ms17010_str3=\"Windows for Workgroups 3.1a\"\r\n $ms17010_str4=\"__TREEID__PLACEHOLDER__\"\r\n $ms17010_str5=\"__USERID__PLACEHOLDER__\"\r\n $wannacry_payload_substr1 = \"h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j\"\r\n $wannacry_payload_substr2 = \"h54WfF9cGigWFEx92bzmOd0UOaZlM\"\r\n $wannacry_payload_substr3 = \"tpGFEoLOU6+5I78Toh/nHs/RAP\"\r\n\r\n condition:\r\n all of them\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule wannacry_1 : ransom",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332785",
"to_ids": false,
"type": "yara",
"uuid": "5c49aef1-9c60-4202-8c5a-0b040a646538",
"value": "rule wannacry_1 : ransom\r\n{\r\n meta:\r\n author = \"Joshua Cannell\"\r\n description = \"WannaCry Ransomware strings\"\r\n weight = 100\r\n date = \"2017-05-12\"\r\n \r\n strings:\r\n $s1 = \"Ooops, your files have been encrypted!\" wide ascii nocase\r\n $s2 = \"Wanna Decryptor\" wide ascii nocase\r\n $s3 = \".wcry\" wide ascii nocase\r\n $s4 = \"WANNACRY\" wide ascii nocase\r\n $s5 = \"WANACRY!\" wide ascii nocase\r\n $s7 = \"icacls . /grant Everyone:F /T /C /Q\" wide ascii nocase\r\n \r\n condition:\r\n any of them\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule wannacry_2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332806",
"to_ids": false,
"type": "yara",
"uuid": "5c49af06-a53c-496e-83a1-0a740a646538",
"value": "rule wannacry_2\r\n{\r\n meta:\r\n author = \"Harold Ogden\"\r\n description = \"WannaCry Ransomware Strings\"\r\n date = \"2017-05-12\"\r\n weight = 100\r\n\r\n strings:\r\n $string1 = \"msg/m_bulgarian.wnry\"\r\n $string2 = \"msg/m_chinese (simplified).wnry\"\r\n $string3 = \"msg/m_chinese (traditional).wnry\"\r\n $string4 = \"msg/m_croatian.wnry\"\r\n $string5 = \"msg/m_czech.wnry\"\r\n $string6 = \"msg/m_danish.wnry\"\r\n $string7 = \"msg/m_dutch.wnry\"\r\n $string8 = \"msg/m_english.wnry\"\r\n $string9 = \"msg/m_filipino.wnry\"\r\n $string10 = \"msg/m_finnish.wnry\"\r\n $string11 = \"msg/m_french.wnry\"\r\n $string12 = \"msg/m_german.wnry\"\r\n $string13 = \"msg/m_greek.wnry\"\r\n $string14 = \"msg/m_indonesian.wnry\"\r\n $string15 = \"msg/m_italian.wnry\"\r\n $string16 = \"msg/m_japanese.wnry\"\r\n $string17 = \"msg/m_korean.wnry\"\r\n $string18 = \"msg/m_latvian.wnry\"\r\n $string19 = \"msg/m_norwegian.wnry\"\r\n $string20 = \"msg/m_polish.wnry\"\r\n $string21 = \"msg/m_portuguese.wnry\"\r\n $string22 = \"msg/m_romanian.wnry\"\r\n $string23 = \"msg/m_russian.wnry\"\r\n $string24 = \"msg/m_slovak.wnry\"\r\n $string25 = \"msg/m_spanish.wnry\"\r\n $string26 = \"msg/m_swedish.wnry\"\r\n $string27 = \"msg/m_turkish.wnry\"\r\n $string28 = \"msg/m_vietnamese.wnry\"\r\n\r\n condition:\r\n any of ($string*)\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule WannaDecryptor: WannaDecryptor",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332825",
"to_ids": false,
"type": "yara",
"uuid": "5c49af19-a7c0-4985-8408-0b040a646538",
"value": "rule WannaDecryptor: WannaDecryptor\r\n{\r\n meta:\r\n description = \"Detection for common strings of WannaDecryptor\"\r\n\r\n strings:\r\n $id1 = \"taskdl.exe\"\r\n $id2 = \"taskse.exe\"\r\n $id3 = \"r.wnry\"\r\n $id4 = \"s.wnry\"\r\n $id5 = \"t.wnry\"\r\n $id6 = \"u.wnry\"\r\n $id7 = \"msg/m_\"\r\n\r\n condition:\r\n 3 of them\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332846",
"to_ids": false,
"type": "yara",
"uuid": "5c49af2e-4268-4f6c-8e7e-0a740a646538",
"value": "rule Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549: Wanna_Sample_84c82835a5d21bbcf75a61706d8ab549\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"84c82835a5d21bbcf75a61706d8ab549\"\r\n SHA1 = \"5ff465afaabcbf0150d1a3ab2c2e74f3a4426467\"\r\n SHA256 = \"ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\"\r\n INFO = \"Looks for 'taskdl' and 'taskse' at known offsets\"\r\n\r\n strings:\r\n $taskdl = { 00 74 61 73 6b 64 6c }\r\n $taskse = { 00 74 61 73 6b 73 65 }\r\n\r\n condition:\r\n $taskdl at 3419456 and $taskse at 3422953\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332862",
"to_ids": false,
"type": "yara",
"uuid": "5c49af3e-6cec-4a29-ac04-0a730a646538",
"value": "rule Wanna_Sample_4da1f312a214c07143abeeafb695d904: Wanna_Sample_4da1f312a214c07143abeeafb695d904\r\n{\r\n meta:\r\n description = \"Specific sample match for WannaCryptor\"\r\n MD5 = \"4da1f312a214c07143abeeafb695d904\"\r\n SHA1 = \"b629f072c9241fd2451f1cbca2290197e72a8f5e\"\r\n SHA256 = \"aee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002c\"\r\n INFO = \"Looks for offsets of r.wry and s.wry instances\"\r\n\r\n strings:\r\n $rwnry = { 72 2e 77 72 79 }\r\n $swnry = { 73 2e 77 72 79 }\r\n\r\n condition:\r\n $rwnry at 88195 and $swnry at 88656 and $rwnry at 4495639\r\n}"
},
{
"category": "Payload installation",
"comment": "Yara rule NHS_Strain_Wanna: NHS_Strain_Wanna",
"deleted": false,
"disable_correlation": false,
"timestamp": "1548332878",
"to_ids": false,
"type": "yara",
"uuid": "5c49af4e-4038-4f74-ba91-0aec0a646538",
"value": "rule NHS_Strain_Wanna: NHS_Strain_Wanna\r\n{\r\n meta:\r\n description = \"Detection for worm-strain bundle of Wcry, DOublePulsar\"\r\n MD5 = \"db349b97c37d22f5ea1d1841e3c89eb4\"\r\n SHA1 = \"e889544aff85ffaf8b0d0da705105dee7c97fe26\"\r\n SHA256 = \"24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\"\r\n INFO = \"Looks for specific offsets of c.wnry and t.wnry strings\"\r\n\r\n strings:\r\n $cwnry = { 63 2e 77 6e 72 79 }\r\n $twnry = { 74 2e 77 6e 72 79 }\r\n\r\n condition:\r\n $cwnry at 262324 and $twnry at 267672 and $cwnry at 284970\r\n}"
}
]
}
}
Reference in a new issue View git blame Copy permalink