295 lines
No EOL
9 KiB
JSON
295 lines
No EOL
9 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-12-13",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - WORK Cryptomix Ransomware Variant Released",
|
|
"publish_timestamp": "1518771517",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1518231654",
|
|
"uuid": "5a338667-b794-44c5-80e8-4892950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:ransomware=\"CryptoMix\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"local": "0",
|
|
"name": "malware_classification:malware-category=\"Ransomware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185240",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a338686-a0b4-469e-b794-4c09950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185241",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5a338727-77d4-4495-972d-4244950d210f",
|
|
"value": "Today, BleepingComputer discovered a new variant of the CryptoMix ransomware that appends the .WORK extension to encrypted files and changes the contact emails used by the ransomware.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513327009",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a33875c-a52c-4b5e-803f-4a0c950d210f",
|
|
"value": "69fa88c5b353f55edbb7187c090bee377e54900e1c78c580d7b3b3084c9d7d0b",
|
|
"Tag": [
|
|
{
|
|
"colour": "#3b0020",
|
|
"local": "0",
|
|
"name": "workflow:todo=\"expansion\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185241",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a33875d-aedc-46fa-b170-4667950d210f",
|
|
"value": "_HELP_INSTRUCTION.TXT"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185241",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "5a33875d-792c-4b13-8ad6-4276950d210f",
|
|
"value": "C:ProgramData[random].exe"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185242",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5a33875d-34c8-428e-98c2-457f950d210f",
|
|
"value": "worknow@keemail.me"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185242",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5a33875d-32f0-41fc-b4cc-418b950d210f",
|
|
"value": "worknow@protonmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185243",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5a33875d-da44-4ec0-b1d0-4037950d210f",
|
|
"value": "worknow8@yandex.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185243",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5a33875d-17bc-4af9-9416-49f1950d210f",
|
|
"value": "worknow9@yandex.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1518185243",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5a33875d-dd64-4265-8284-43c9950d210f",
|
|
"value": "worknow@techie.com"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1518185247",
|
|
"uuid": "8f691e80-d2db-4dad-88b8-a9218e0d0f2c",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "8f691e80-d2db-4dad-88b8-a9218e0d0f2c",
|
|
"referenced_uuid": "bc0024c6-ba70-4acd-88df-84a6fdd20327",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1518771517",
|
|
"uuid": "5a7dab1e-65d8-494a-921e-48f202de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1518185244",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a7dab1c-3190-4523-bd56-47e802de0b81",
|
|
"value": "04f257d130f560401c5a937d679b022a233fa7e2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1518185244",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a7dab1c-ebfc-4746-b038-428702de0b81",
|
|
"value": "69fa88c5b353f55edbb7187c090bee377e54900e1c78c580d7b3b3084c9d7d0b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1518185245",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a7dab1d-c8e0-48ef-84d8-439102de0b81",
|
|
"value": "5f4c9824ae0a9134050a7ae8ac1e555a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1518185245",
|
|
"uuid": "bc0024c6-ba70-4acd-88df-84a6fdd20327",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1518185245",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a7dab1d-ac48-442c-bf1a-424a02de0b81",
|
|
"value": "https://www.virustotal.com/file/69fa88c5b353f55edbb7187c090bee377e54900e1c78c580d7b3b3084c9d7d0b/analysis/1513332835/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1518185246",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a7dab1e-9bb0-49b5-ab98-499f02de0b81",
|
|
"value": "48/67"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1518185246",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a7dab1e-2afc-47ba-b732-48b502de0b81",
|
|
"value": "2017-12-15T10:13:55"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |