221 lines
No EOL
7.1 KiB
JSON
221 lines
No EOL
7.1 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2020-01-17",
|
|
"extends_uuid": "",
|
|
"info": "Ako Ransomware",
|
|
"publish_timestamp": "1580456344",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1580456326",
|
|
"uuid": "5e211b87-8f34-43f5-b02b-42e4950d210f",
|
|
"Orgc": {
|
|
"name": "wilbursecurity.com",
|
|
"uuid": "5e16d2bc-5c68-4ef1-bc80-47f5950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffd890",
|
|
"local": "0",
|
|
"name": " Ransomware",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Locker.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579228479",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5e211d3f-2db0-45f0-bfe5-479c950d210f",
|
|
"value": "ae8e02d15c9b45a751e4e7f177f27f5ba7663fe6ec4b53cc68a6c1f5c2a3cfd9"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Locker.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579228480",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5e211d40-5edc-4756-8ccc-4d80950d210f",
|
|
"value": "c0501e264531f29854bdaa872eb12c30b5875200"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Locker.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579228480",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5e211d40-bd24-496b-b4e7-448f950d210f",
|
|
"value": "ef2697aa224266b204127722771bc209"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579229116",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5e211ea9-58d4-4ef9-a5ef-40d7950d210f",
|
|
"value": "Commands Run\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nwmic.exe SHADOWCOPY /nointeractive"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579274836",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5e211f10-6480-42ab-8b19-4de9950d210f",
|
|
"value": "https://app.any.run/tasks/5f4740c6-023a-4214-a96a-97b05e8b440e/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579228985",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5e211f39-d0a8-43d2-8995-48cf950d210f",
|
|
"value": "185.167.160.83"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579274830",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5e211f8e-94cc-4067-b97f-485f950d210f",
|
|
"value": "Tor Ransom page\r\n\r\nhttp://kwvhrdibgmmpkhkidrby4mccwqpds5za6uo2thcw5gz75qncv7rbhyad.onion/C2SNJM7PHLUI0QQV"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1579275691",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5e213034-de04-4974-820b-4b35950d210f",
|
|
"value": "https://wilbursecurity.com/2020/01/ako-ransomware"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
|
|
"meta-category": "file",
|
|
"name": "registry-key",
|
|
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
|
|
"template_version": "4",
|
|
"timestamp": "1579275850",
|
|
"uuid": "5e21d353-e354-456a-ba6b-4647950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "key",
|
|
"timestamp": "1579275850",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "5e21d354-c574-4de7-bc78-450b950d210f",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "name",
|
|
"timestamp": "1579275850",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5e21d354-98d8-4594-ac85-4b6f950d210f",
|
|
"value": "EnableLinkedConnections"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "data",
|
|
"timestamp": "1579275850",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5e21d354-e3f8-47d8-b94e-499e950d210f",
|
|
"value": "1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
|
|
"meta-category": "file",
|
|
"name": "registry-key",
|
|
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
|
|
"template_version": "4",
|
|
"timestamp": "1579275314",
|
|
"uuid": "5e21d432-c228-4d2c-8d51-43ab950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "key",
|
|
"timestamp": "1579275335",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "5e21d432-e4f8-4b2f-9f62-46ef950d210f",
|
|
"value": "HKEY_CURRENT_USER\\Software\\acfg"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "name",
|
|
"timestamp": "1579275340",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5e21d433-981c-4908-8617-4308950d210f",
|
|
"value": "aid"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "data",
|
|
"timestamp": "1579275350",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5e21d433-18f4-4980-b89d-4c1b950d210f",
|
|
"value": ".(randomly generated key)"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |