216 lines
No EOL
8.2 KiB
JSON
216 lines
No EOL
8.2 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-04-11",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Locky Ransomware Domains \u00e2\u20ac\u201c Followup Analysis Uncovers 130 New Indicators",
|
|
"publish_timestamp": "1460358688",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1460358659",
|
|
"uuid": "570b4c28-7480-4be0-b858-493e950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358258",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570b4c72-59b8-46a3-8795-45b0950d210f",
|
|
"value": "https://blog.threatstop.com/2016/04/08/locky-ransomware-domains-followup-research/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358276",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "570b4c84-3afc-4f93-8d8a-4fe2950d210f",
|
|
"value": "Recently, there has been a lot of buzz over a flourishing ransomware that goes by the name of Locky, which encrypts a victim\u00e2\u20ac\u2122s data using a strong RSA-2048+AES-128 encryption and then demands between 0.5-2 bitcoins for the decryption of that data.\r\n\r\nThe ransomware debuted in early 2016 and is currently being distributed in various ways, including spam emails that contain Word and Excel documents with malicious macros, as well as JS scripts. Locky is also delivered via popular Exploit Kits such as Nuclear and Neutrino.\r\n\r\nLocky has widespread reach, having been used to attack victims in over 100 countries. During its first days of activity, it managed to deploy 100,000 infection attempts per day. Just recently, the ransomware was used in an attack on a Kentucky hospital, which caused them to declare an \u00e2\u20ac\u0153Internal State of Emergency.\u00e2\u20ac\u009d\r\n\r\nThe ThreatSTOP Research Team has been monitoring new Indicators of Compromise for this ransomware since its debut, and has analyzed hundreds of relevant indicators. During our analysis on these indicators, we noticed four outstanding domains\u00e2\u20ac\u201clegitimate-looking domains with the addition of the string \u00e2\u20ac\u0153qq\u00e2\u20ac\u009d or \u00e2\u20ac\u0153ff\u00e2\u20ac\u009d at the end of the domain name. These domains sparked a follow up analysis that led to amazing results."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The first step of the analysis was to map the IP connections between the 4 initial domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358316",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "570b4cac-07e4-452c-8c2c-44a7950d210f",
|
|
"value": "hellomydearqq.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The first step of the analysis was to map the IP connections between the 4 initial domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358316",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "570b4cac-2a78-4076-8b86-4f46950d210f",
|
|
"value": "blablaworldqq.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The first step of the analysis was to map the IP connections between the 4 initial domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358317",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "570b4cad-d0c4-40e5-9716-49cb950d210f",
|
|
"value": "hellomisterbiznesqq.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The first step of the analysis was to map the IP connections between the 4 initial domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358338",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "570b4cc2-3078-49ce-8bfb-4686950d210f",
|
|
"value": "greetingsjamajcaff.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358376",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ce8-2980-4400-b3ec-4008950d210f",
|
|
"value": "202.120.42.190"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358377",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ce9-861c-4d68-9d5e-49ca950d210f",
|
|
"value": "51.255.10.133"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358377",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ce9-5480-4e10-9c56-4dbf950d210f",
|
|
"value": "146.148.55.44"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358377",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ce9-6918-45eb-bc39-46ae950d210f",
|
|
"value": "185.118.142.154"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358378",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4cea-84e8-4817-8ba1-495b950d210f",
|
|
"value": "51.254.226.223"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358378",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4cea-5110-4c7d-854c-47b4950d210f",
|
|
"value": "78.135.108.94"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358378",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ceb-3598-43ee-9a7a-4ca4950d210f",
|
|
"value": "173.82.74.197"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358379",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ceb-c1a4-44b0-bdf5-474f950d210f",
|
|
"value": "104.239.213.7"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358379",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4ceb-3374-437a-be7c-48b5950d210f",
|
|
"value": "198.105.244.11"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Imported via the freetext import.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358380",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570b4cec-8550-4c2f-91f4-4958950d210f",
|
|
"value": "198.105.254.11"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460358659",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "570b4e03-dcb4-43f5-947f-41c3950d210f",
|
|
"value": "It seems they are some mixes in the indicators post about TeslaCrypt and Locky infrastructures. (Comment from CIRCL)"
|
|
}
|
|
]
|
|
}
|
|
} |