624 lines
No EOL
20 KiB
JSON
624 lines
No EOL
20 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-11-30",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Making a Ransomware Payment? It May Now Violate U.S. Sanctions",
|
|
"publish_timestamp": "1544041458",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1544041447",
|
|
"uuid": "5c04f23f-fd50-4445-ba0b-40b3950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:ransomware=\"Samas-Samsam\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"SamSam\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"local": "0",
|
|
"name": "malware_classification:malware-category=\"Ransomware\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543830329",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5c04fb39-311c-44cf-ab12-4637950d210f",
|
|
"value": "https://www.blockchain.com/btc/address/149w62rY42aZBox8fGcmqNsXUzSStKeq8C"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543830329",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5c04fb39-1a6c-4032-9faa-419e950d210f",
|
|
"value": "https://www.blockchain.com/btc/address/1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543830329",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5c04fb39-c988-48c8-9dda-4a05950d210f",
|
|
"value": "https://www.bleepingcomputer.com/news/security/making-a-ransomware-payment-it-may-now-violate-us-sanctions/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543846924",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c053c0c-8fd0-477d-8150-4533950d210f",
|
|
"value": "iranvisacart@yahoo.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543846925",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c053c0d-bcb0-49ad-bb0a-4bc0950d210f",
|
|
"value": "alikhorashadi@yahoo.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543846925",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c053c0d-1e50-4b7f-81cc-41db950d210f",
|
|
"value": "mastercartaria@yahoo.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543846926",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c053c0e-c268-4be8-8b67-43f1950d210f",
|
|
"value": "toppglasses@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543846926",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c053c0e-a968-4d69-8613-43cf950d210f",
|
|
"value": "iranian_boy5@yahoo.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543849765",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5c054725-27e8-455c-afbc-4ebc950d210f",
|
|
"value": "www.enexchanger.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543849766",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c054726-cec0-4fe0-9e95-4bb4950d210f",
|
|
"value": "enexchanger@gmail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1543849766",
|
|
"to_ids": true,
|
|
"type": "email-src",
|
|
"uuid": "5c054726-fb24-4a0c-a93d-41fd950d210f",
|
|
"value": "ensaniyat1365@gmail.com"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An address used in a cryptocurrency",
|
|
"meta-category": "financial",
|
|
"name": "coin-address",
|
|
"template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",
|
|
"template_version": "4",
|
|
"timestamp": "1543832646",
|
|
"uuid": "5c04f529-effc-4355-b816-4174950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c04f529-effc-4355-b816-4174950d210f",
|
|
"referenced_uuid": "5c04fb39-1a6c-4032-9faa-419e950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543832646",
|
|
"uuid": "5c050446-17b0-4e64-8f16-4b8b950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Financial fraud",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "address",
|
|
"timestamp": "1543828777",
|
|
"to_ids": true,
|
|
"type": "btc",
|
|
"uuid": "5c04f529-1e64-4e83-92ae-453f950d210f",
|
|
"value": "1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "symbol",
|
|
"timestamp": "1543828777",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c04f529-831c-434b-bdad-4e3e950d210f",
|
|
"value": "BTC"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An address used in a cryptocurrency",
|
|
"meta-category": "financial",
|
|
"name": "coin-address",
|
|
"template_uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",
|
|
"template_version": "4",
|
|
"timestamp": "1543831366",
|
|
"uuid": "5c04f61e-f3cc-4c8c-8ae1-4e77950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c04f61e-f3cc-4c8c-8ae1-4e77950d210f",
|
|
"referenced_uuid": "5c04fb39-311c-44cf-ab12-4637950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543831365",
|
|
"uuid": "5c04ff45-6aac-40a4-9742-49fa950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Financial fraud",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "address",
|
|
"timestamp": "1543829022",
|
|
"to_ids": true,
|
|
"type": "btc",
|
|
"uuid": "5c04f61e-e908-49ae-be5c-4ec7950d210f",
|
|
"value": "149w62rY42aZBox8fGcmqNsXUzSStKeq8C"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "symbol",
|
|
"timestamp": "1543829023",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c04f61f-3e90-41dc-a124-465c950d210f",
|
|
"value": "BTC"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An person which describes a person or an identity.",
|
|
"meta-category": "misc",
|
|
"name": "person",
|
|
"template_uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
|
|
"template_version": "3",
|
|
"timestamp": "1543847140",
|
|
"uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c04f61e-f3cc-4c8c-8ae1-4e77950d210f",
|
|
"relationship_type": "uses",
|
|
"timestamp": "1543846333",
|
|
"uuid": "5c0539bd-1e38-4cad-b585-46dc950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c053c0c-8fd0-477d-8150-4533950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543847109",
|
|
"uuid": "5c053cc5-5294-4d93-ba1f-4805950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c053c0d-bcb0-49ad-bb0a-4bc0950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543847121",
|
|
"uuid": "5c053cd1-a318-4bbe-b4a6-485f950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c053c0d-1e50-4b7f-81cc-41db950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543847129",
|
|
"uuid": "5c053cd9-97b0-4b04-af6e-43a5950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c053c0e-c268-4be8-8b67-43f1950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543847134",
|
|
"uuid": "5c053cde-b22c-4f57-b998-4d48950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c05399d-daac-4062-9269-47a2950d210f",
|
|
"referenced_uuid": "5c053c0e-a968-4d69-8613-43cf950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543847140",
|
|
"uuid": "5c053ce4-9850-427c-b72f-4f7d950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "nationality",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "nationality",
|
|
"uuid": "5c05399e-a3c0-4126-b343-4182950d210f",
|
|
"value": "Iran"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "passport-number",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "passport-number",
|
|
"uuid": "5c05399e-1368-44eb-b1ff-4276950d210f",
|
|
"value": "T14553558"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "passport-country",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "passport-country",
|
|
"uuid": "5c05399e-1630-4e0a-997f-4b00950d210f",
|
|
"value": "Iran"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "passport-expiration",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "passport-expiration",
|
|
"uuid": "5c05399e-1ee8-4bcc-be2e-4075950d210f",
|
|
"value": "29 Oct 2013"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "gender",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "gender",
|
|
"uuid": "5c05399e-115c-47e8-b53c-416d950d210f",
|
|
"value": "Male"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "date-of-birth",
|
|
"timestamp": "1543846302",
|
|
"to_ids": false,
|
|
"type": "date-of-birth",
|
|
"uuid": "5c05399e-beac-424f-87b4-4c76950d210f",
|
|
"value": "21 Sep 1979"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-name",
|
|
"timestamp": "1543846303",
|
|
"to_ids": false,
|
|
"type": "last-name",
|
|
"uuid": "5c05399f-c6fc-4446-958c-4091950d210f",
|
|
"value": "KHORASHADIZADEH"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "first-name",
|
|
"timestamp": "1543846303",
|
|
"to_ids": false,
|
|
"type": "first-name",
|
|
"uuid": "5c05399f-27bc-4fec-a652-43a2950d210f",
|
|
"value": "Ali"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543846303",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c05399f-0170-47df-b228-417c950d210f",
|
|
"value": "Mastercartaria"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543846304",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c0539a0-a534-4b5a-97b2-4290950d210f",
|
|
"value": "Iranvisacart"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "place-of-birth",
|
|
"timestamp": "1543846304",
|
|
"to_ids": false,
|
|
"type": "place-of-birth",
|
|
"uuid": "5c0539a0-a540-4ad6-a5de-4480950d210f",
|
|
"value": "Tehran, Iran"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An person which describes a person or an identity.",
|
|
"meta-category": "misc",
|
|
"name": "person",
|
|
"template_uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
|
|
"template_version": "3",
|
|
"timestamp": "1543850397",
|
|
"uuid": "5c054301-3b28-4b5c-bfe1-4083950d210f",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c054301-3b28-4b5c-bfe1-4083950d210f",
|
|
"referenced_uuid": "5c04f529-effc-4355-b816-4174950d210f",
|
|
"relationship_type": "uses",
|
|
"timestamp": "1543849790",
|
|
"uuid": "5c05473e-3c04-43d5-a923-4f20950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c054301-3b28-4b5c-bfe1-4083950d210f",
|
|
"referenced_uuid": "5c054725-27e8-455c-afbc-4ebc950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543850355",
|
|
"uuid": "5c054973-e7cc-470b-a38c-4872950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c054301-3b28-4b5c-bfe1-4083950d210f",
|
|
"referenced_uuid": "5c054726-cec0-4fe0-9e95-4bb4950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543850391",
|
|
"uuid": "5c054997-6bf8-43fe-a3ce-4a11950d210f"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5c054301-3b28-4b5c-bfe1-4083950d210f",
|
|
"referenced_uuid": "5c054726-fb24-4a0c-a93d-41fd950d210f",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1543850397",
|
|
"uuid": "5c05499d-c1ac-48f5-9bc0-4c72950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "nationality",
|
|
"timestamp": "1543848705",
|
|
"to_ids": false,
|
|
"type": "nationality",
|
|
"uuid": "5c054301-9804-4513-874c-4514950d210f",
|
|
"value": "Iran"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "gender",
|
|
"timestamp": "1543848706",
|
|
"to_ids": false,
|
|
"type": "gender",
|
|
"uuid": "5c054302-6db0-4a39-ad39-4c11950d210f",
|
|
"value": "Male"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "date-of-birth",
|
|
"timestamp": "1543848706",
|
|
"to_ids": false,
|
|
"type": "date-of-birth",
|
|
"uuid": "5c054302-2728-4053-8f6f-4ecc950d210f",
|
|
"value": "09 Mar 1987"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-name",
|
|
"timestamp": "1543848707",
|
|
"to_ids": false,
|
|
"type": "last-name",
|
|
"uuid": "5c054303-6418-4cda-a44e-4783950d210f",
|
|
"value": "GHORBANIYAN"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "first-name",
|
|
"timestamp": "1543848707",
|
|
"to_ids": false,
|
|
"type": "first-name",
|
|
"uuid": "5c054303-ea40-4920-a0be-467e950d210f",
|
|
"value": "Mohammad"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543848707",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c054303-f09c-40cc-8386-4bfb950d210f",
|
|
"value": "GHORBANIAN, Mohammad"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543848708",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c054304-a1c0-4fa5-9070-4e1e950d210f",
|
|
"value": "Ensaniyat_Exchanger"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543848708",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c054304-d670-4a4c-8b21-4331950d210f",
|
|
"value": "Ensaniyat"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "alias",
|
|
"timestamp": "1543848709",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5c054305-5f20-4c83-addd-4fe0950d210f",
|
|
"value": "EnExchanger"
|
|
},
|
|
{
|
|
"category": "Person",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "place-of-birth",
|
|
"timestamp": "1543848709",
|
|
"to_ids": false,
|
|
"type": "place-of-birth",
|
|
"uuid": "5c054305-ba88-471f-86aa-42ef950d210f",
|
|
"value": "Tehran, Iran"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |