210 lines
No EOL
7.5 KiB
JSON
210 lines
No EOL
7.5 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2017-05-18",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Uiwix Ransomware Using EternalBlue SMB Exploit To Infect Victims",
|
|
"publish_timestamp": "1495133320",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1495133304",
|
|
"uuid": "591d952f-ff4c-4fae-92dd-4a9e950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"local": "0",
|
|
"name": "malware_classification:malware-category=\"Ransomware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:ransomware=\"Uiwix Ransomware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495118064",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "591d9936-2f90-4414-a72b-a002950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495118064",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "591d995a-28a0-42ab-a7aa-c521950d210f",
|
|
"value": "A littler over a week ago, a member posted a topic in our forums looking for help regarding a new ransomware that they were infected with. For this particular victim, the ransomware was appending the _2883765424.UIWIX extension to their files and was creating ransom notes named _DECODE_FILES.txt. Over the next few days, a few more victims posted in the thread and we saw an increasing amount of encrypted files submitted to our malware submission system and ID-Ransomware.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "591d9cb1-5244-4a7d-94d2-4c60950d210f",
|
|
"value": "146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": ">>> ALL YOUR PERSONAL FILES ARE DECODED <<<\r\n\r\nYour personal code: [10_digit_victim_id]\r\n\r\nTo decrypt your files, you need to buy special software.\r\nDo not attempt to decode or modify files, it may be broken.\r\nTo restore data, follow the instructions!\r\n\r\nYou can learn more at this site:\r\nhttps://4ujngbdqqm6t2c53.onion.to\r\nhttps://4ujngbdqqm6t2c53.onion.cab\r\nhttps://4ujngbdqqm6t2c53.onion.nu\r\n\r\nIf a resource is unavailable for a long time to install and use the tor browser.\r\nAfter you start the Tor browser you need to open this link http://4ujngbdqqm6t2c53.onion",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "591d9cbf-f594-49f8-9857-a009950d210f",
|
|
"value": "_DECODE_FILES.txt"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cda-b08c-47d3-85a7-4acf950d210f",
|
|
"value": "https://4ujngbdqqm6t2c53.onion.to"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cdb-521c-4402-9078-49b8950d210f",
|
|
"value": "https://4ujngbdqqm6t2c53.onion.cab"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cdb-5bcc-48c0-ae72-4cd7950d210f",
|
|
"value": "https://4ujngbdqqm6t2c53.onion.nu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cdb-bb58-4741-ae0d-462e950d210f",
|
|
"value": "http://4ujngbdqqm6t2c53.onion"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cdc-a944-42bf-92d1-4af5950d210f",
|
|
"value": "https://netcologne.dl.sourceforge.net/project/cyqlite/3.8.5/sqlite-dll-win32-x86-3080500.zip"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Uiwix Network Connections",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117959",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "591d9cdc-ee90-4fac-b4c0-4794950d210f",
|
|
"value": "http://sqlite.org/2014/sqlite-dll-win32-x86-3080500.zip"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117963",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "591db08b-c1ec-4e68-8bc1-c52102de0b81",
|
|
"value": "18aa7b02f933c753989ba3d16698a5ee3a4d9420"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "591db08c-ce94-480c-bab0-c52102de0b81",
|
|
"value": "a933a1a402775cfa94b6bee0963f4b46"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1495117964",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "591db08c-f04c-48da-83a5-c52102de0b81",
|
|
"value": "https://www.virustotal.com/file/146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc/analysis/1495112647/"
|
|
}
|
|
]
|
|
}
|
|
} |