misp-circl-feed/feeds/circl/misp/5a37887b-efe0-43ba-8542-435c950d210f.json

266 lines
No EOL
8.6 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2017-08-31",
"extends_uuid": "",
"info": "OSINT - Active ransomware attack uses impersonation and embedded advanced threats",
"publish_timestamp": "1514467840",
"published": true,
"threat_level_id": "3",
"timestamp": "1513738826",
"uuid": "5a37887b-efe0-43ba-8542-435c950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#2c4f00",
"local": false,
"name": "malware_classification:malware-category=\"Ransomware\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513594331",
"to_ids": false,
"type": "comment",
"uuid": "5a378895-b7d8-49b2-a28c-44ca950d210f",
"value": "In this attack, the source of the email is a spoofed address, and the attachment name and number is included in the subject line and body of the message. The full subject line in this example is \u00e2\u20ac\u0153Emailing: Payment_201708-6165\u00e2\u20ac\u009d and the number in the attachment name is variable.",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513594331",
"to_ids": false,
"type": "link",
"uuid": "5a3788f1-413c-4fb5-aba2-4898950d210f",
"value": "https://blog.barracuda.com/2017/08/31/active-ransomware-attack-uses-impersonation-and-embedded-advanced-threats/",
"Tag": [
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
]
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1513589237",
"uuid": "5a3789f2-9004-4a04-a2e8-473b950d210f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5a3789f2-9004-4a04-a2e8-473b950d210f",
"referenced_uuid": "bd9400ef-6830-41e8-bf08-6f8a05193923",
"relationship_type": "analysed-with",
"timestamp": "1514467840",
"uuid": "5a379ddc-38ec-4f08-9690-488602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1513589234",
"to_ids": true,
"type": "sha1",
"uuid": "5a3789f2-4988-41dd-aa0a-4493950d210f",
"value": "d5d67631683c9e3d5021334477746a1e64ea2dff"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513589234",
"to_ids": true,
"type": "sha256",
"uuid": "5a3789f2-4a8c-492b-b682-4096950d210f",
"value": "87d0d011b8b456ce8fa15afea8df5e5fbf1bad5cb3305272016ca0db9c204d90"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513589234",
"to_ids": true,
"type": "md5",
"uuid": "5a3789f2-dab8-4ded-819b-4cda950d210f",
"value": "fa527ff057e1be5101da4481d38ba968"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1513589234",
"to_ids": false,
"type": "text",
"uuid": "5a3789f2-f5ac-40c3-ad1a-4237950d210f",
"value": "Malicious"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "size-in-bytes",
"timestamp": "1513589234",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5a3789f2-80d8-4064-8e0b-4f0f950d210f",
"value": "20363"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Email object describing an email with meta-information",
"meta-category": "network",
"name": "email",
"template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"template_version": "7",
"timestamp": "1513590107",
"uuid": "5a378d5b-bcac-4fda-816f-48e8950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "number is variable",
"deleted": false,
"disable_correlation": false,
"object_relation": "subject",
"timestamp": "1513590107",
"to_ids": false,
"type": "email-subject",
"uuid": "5a378d5b-d8b4-4f80-9933-41c1950d210f",
"value": "Emailing: Payment_201708-1160"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "attachment",
"timestamp": "1513590107",
"to_ids": true,
"type": "email-attachment",
"uuid": "5a378d5b-f760-4ef6-bee5-47c1950d210f",
"value": "201708-1160.7z"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "send-date",
"timestamp": "1513590107",
"to_ids": false,
"type": "datetime",
"uuid": "5a378d5b-6eec-49c0-9a98-4079950d210f",
"value": "2017-08-30T02:13:17"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1513594331",
"uuid": "bd9400ef-6830-41e8-bf08-6f8a05193923",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1513594332",
"to_ids": false,
"type": "link",
"uuid": "5a379ddc-112c-41c3-ae7e-441602de0b81",
"value": "https://www.virustotal.com/file/87d0d011b8b456ce8fa15afea8df5e5fbf1bad5cb3305272016ca0db9c204d90/analysis/1505917656/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1513594332",
"to_ids": false,
"type": "text",
"uuid": "5a379ddc-e090-4f00-a188-4ad902de0b81",
"value": "37/59"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1513594332",
"to_ids": false,
"type": "datetime",
"uuid": "5a379ddc-6838-4c7d-92e3-459f02de0b81",
"value": "2017-09-20T14:27:36"
}
]
}
]
}
}