misp-circl-feed/feeds/circl/misp/5847e4ac-de90-4358-a9a4-d9c3950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - A Closer Look at the Mamba Ransomware that Struck San Francisco Rail System", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#2c4f00", "exportable": true, "name": "malware_classification:malware-category=\"Ransomware\""}], "publish_timestamp": "0", "timestamp": "1481108171", "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5847e4bb-1600-49aa-9c85-42a7950d210f", "timestamp": "1481106619", "to_ids": false, "value": "http://blog.fortinet.com/2016/12/05/a-closer-look-at-the-mamba-ransomware-that-struck-san-francisco-rail-system", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5847e4cb-3438-427b-a487-d9c5950d210f", "timestamp": "1481106635", "to_ids": false, "value": "Recently, the San Francisco Municipal Transportation Agency, also known as MUNI, was attacked by a new variant of Mamba (a.k.a HDDCryptor) \u2013 a disk-encypting ransomware. The incident left their ticketing services with inoperational systems and a note that read, \u201cYou Hacked,ALL Data Encrypted,Contact For Key(cryptom27@yandex.com)\u201d\r\n\r\nFortinet first discovered Mamba two months ago. Since then, it has been under the radar \u2013 until this big attack. We will now take a look at a few irregularities and some new developments it has employed over the past few months.", "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5847e51a-5130-40ed-9c6c-d9c5950d210f", "timestamp": "1481106737", "to_ids": true, "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\DefragmentService", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5847e51a-696c-415f-8bdb-d9c5950d210f", "timestamp": "1481106737", "to_ids": true, "value": "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\dcrypt", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e74e-77fc-464c-8660-d9c6950d210f", "timestamp": "1481107278", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\dcrypt.sys", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e86f-e398-4fe6-a51e-ea04950d210f", "timestamp": "1481107567", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\dcrypt.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e86f-8ce8-4981-ac89-ea04950d210f", "timestamp": "1481107567", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\dcinst.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e86f-0b7c-4d8c-b0d7-ea04950d210f", "timestamp": "1481107567", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\dccon.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e870-be90-47b6-bbcb-ea04950d210f", "timestamp": "1481107568", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\dcapi.dll", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e870-abd0-4e49-abf5-ea04950d210f", "timestamp": "1481107568", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\netpass.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e870-6414-4f2f-8172-ea04950d210f", "timestamp": "1481107568", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\Mount.exe", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5847e870-02f4-4205-9c5f-ea04950d210f", "timestamp": "1481107568", "to_ids": true, "value": "%SystemRoot%\\Users\\WWW\\log_file.txt", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "W32/Mamba.WWW!tr (main executable)", "category": "Payload delivery", "uuid": "5847eacb-e9c0-4026-8d75-d9c3950d210f", "timestamp": "1481108171", "to_ids": true, "value": "645b8dfe73255d9e5be6e778292f3dde84ff8c5918a044ae42bcace0fe9ca279", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "W32/Mamba.WWW!tr (modified dcapi.dll)", "category": "Payload delivery", "uuid": "5847eacb-68f8-40f9-adac-d9c3950d210f", "timestamp": "1481108171", "to_ids": true, "value": "525fa1bf741aedac29a87925094ee7cd5849e3d162a6997db7202c04daccb882", "disable_correlation": false, "object_relation": null, "type": "sha256"}], "extends_uuid": "", "published": false, "date": "2016-12-05", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5847e4ac-de90-4358-a9a4-d9c3950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink