242 lines
No EOL
10 KiB
JSON
242 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-06-06",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - CryptXXX Ransomware Learns the Samba, Other New Tricks With Version 3.100",
|
|
"publish_timestamp": "1465215109",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1465214413",
|
|
"uuid": "5755628d-ebd4-4150-abb0-4bfd950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#006c6c",
|
|
"name": "ecsirt:malicious-code=\"ransomware\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465213706",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5755630a-b728-4018-919c-4396950d210f",
|
|
"value": "https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465213732",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "57556324-f848-48fe-b41c-4954950d210f",
|
|
"value": "Proofpoint researchers have been tracking the rapid development of CryptXXX since they first discovered the ransomware in April [1]. In mid-May, the first major CryptXXX update temporarily broke the decryption tool available from our colleagues at Kaspersky Labs and locked the screens of infected PCs, making it harder to access the file systems [3]. Last week, we observed the latest version of CryptXXX (Version 3.100) in the wild, which introduced additional capabilities including network share encryption. For the time being, at least, it has once again rendered the decryption tool ineffective.\r\n\r\nThis new round of updates means that even if users are able to decrypt their files, whether through an updated third-party tool or by paying the ransom, CryptXXX can still cause significant downtime by encrypting files on network shares. In this post, we also detail for the first time the StillerX module that underlies the information-stealing capabilities in CryptXXX and allows threat actors to sell credentials or launch targeted attacks.\r\n- See more at: https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100#sthash.A46I51Xy.dpuf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CryptXXX C&C (communication is non-SSL TCP on port 443)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465213777",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "57556351-973c-48c8-aa87-4672950d210f",
|
|
"value": "85.25.194.116"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-04-29)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465213985",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "57556421-ae98-438b-9b9f-4b44950d210f",
|
|
"value": "7e6ef093a00b60cc4d487725b1b02103a94b5a9299f5a752d48510e9180e2f88"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-06-01)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214144",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575564c0-3360-41aa-89dc-464e950d210f",
|
|
"value": "011ff7879fbc4a51fd5acea6ef8a0cc7ee7afda35452063b627efe6cfb7c23de"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-28)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214162",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575564d2-3238-48dd-8b3f-4272950d210f",
|
|
"value": "36b96a2a476449f8a8653b04d4d5f506409d110235eafc60613207aba762d62c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-31)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214190",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "575564e2-8fa4-4206-827e-475a950d210f",
|
|
"value": "139c9a4f3d8c2b244408644a78be6fdac353cc173727b47cb087e5b9fff10863"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-31) - Xchecked via VT: 139c9a4f3d8c2b244408644a78be6fdac353cc173727b47cb087e5b9fff10863",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214204",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575564fc-c040-4d55-8b48-4bfd02de0b81",
|
|
"value": "a3ce6e877365857c9de757d7a4183c9a6f98eb93"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-31) - Xchecked via VT: 139c9a4f3d8c2b244408644a78be6fdac353cc173727b47cb087e5b9fff10863",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214204",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575564fc-f68c-419c-b73c-4ec902de0b81",
|
|
"value": "cb7769918a8237f08a4ef748aca2d9c4"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "CryptXXX sample (2016-05-31) - Xchecked via VT: 139c9a4f3d8c2b244408644a78be6fdac353cc173727b47cb087e5b9fff10863",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214204",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575564fc-97cc-40f4-a02d-495902de0b81",
|
|
"value": "https://www.virustotal.com/file/139c9a4f3d8c2b244408644a78be6fdac353cc173727b47cb087e5b9fff10863/analysis/1464720315/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-28) - Xchecked via VT: 36b96a2a476449f8a8653b04d4d5f506409d110235eafc60613207aba762d62c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214204",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575564fc-7644-4049-bf11-4f3d02de0b81",
|
|
"value": "b0735aabb42c1105475983ce2f00228655cecd09"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "CryptXXX sample (2016-05-28) - Xchecked via VT: 36b96a2a476449f8a8653b04d4d5f506409d110235eafc60613207aba762d62c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214204",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575564fc-3c30-46d5-a432-4cc002de0b81",
|
|
"value": "e2ba73dc7ad68e65249e1672d5cb2dc3"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "CryptXXX sample (2016-05-28) - Xchecked via VT: 36b96a2a476449f8a8653b04d4d5f506409d110235eafc60613207aba762d62c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214205",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575564fd-d104-4573-8bdd-4ac302de0b81",
|
|
"value": "https://www.virustotal.com/file/36b96a2a476449f8a8653b04d4d5f506409d110235eafc60613207aba762d62c/analysis/1464973888/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-06-01) - Xchecked via VT: 011ff7879fbc4a51fd5acea6ef8a0cc7ee7afda35452063b627efe6cfb7c23de",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214205",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575564fd-63ec-4199-aad2-448902de0b81",
|
|
"value": "a68cc8f8e92e0cfcd8ca551a12d2ceb56a09959d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-06-01) - Xchecked via VT: 011ff7879fbc4a51fd5acea6ef8a0cc7ee7afda35452063b627efe6cfb7c23de",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214205",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575564fd-65a0-4dc6-a550-440502de0b81",
|
|
"value": "9bdedb2ed6fb049c4d58469716f9737a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "StillerX sample (2016-06-01) - Xchecked via VT: 011ff7879fbc4a51fd5acea6ef8a0cc7ee7afda35452063b627efe6cfb7c23de",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214205",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575564fd-4084-417a-8a33-4d8a02de0b81",
|
|
"value": "https://www.virustotal.com/file/011ff7879fbc4a51fd5acea6ef8a0cc7ee7afda35452063b627efe6cfb7c23de/analysis/1464964307/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-04-29) - Xchecked via VT: 7e6ef093a00b60cc4d487725b1b02103a94b5a9299f5a752d48510e9180e2f88",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214205",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "575564fd-cf54-4538-b70e-433602de0b81",
|
|
"value": "5a3a0ed4c3b6c5cc6e6d5b7db707e60e5d049442"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "StillerX sample (2016-04-29) - Xchecked via VT: 7e6ef093a00b60cc4d487725b1b02103a94b5a9299f5a752d48510e9180e2f88",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214206",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "575564fe-8ca4-41d0-9f52-433202de0b81",
|
|
"value": "1b8d33f27c9fac662028c788a86e80fd"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "StillerX sample (2016-04-29) - Xchecked via VT: 7e6ef093a00b60cc4d487725b1b02103a94b5a9299f5a752d48510e9180e2f88",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1465214206",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "575564fe-9fe4-4c3a-adc6-41ea02de0b81",
|
|
"value": "https://www.virustotal.com/file/7e6ef093a00b60cc4d487725b1b02103a94b5a9299f5a752d48510e9180e2f88/analysis/1464964304/"
|
|
}
|
|
]
|
|
}
|
|
} |