160 lines
No EOL
6.2 KiB
JSON
160 lines
No EOL
6.2 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-06-27",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - D\u00c3\u00a9j\u00c3\u00a0 vu: Petya ransomware appears with SMB propagation capabilities",
|
|
"publish_timestamp": "1498593909",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1498593781",
|
|
"uuid": "5952b89d-104c-436d-a8bd-476202de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c4f00",
|
|
"local": false,
|
|
"name": "malware_classification:malware-category=\"Ransomware\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:ransomware=\"Petya\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5952b8a9-0554-49ea-b10b-481602de0b81",
|
|
"value": "The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands [1].\r\n\r\nWhile many may be loath to think back six weeks to the trauma of May\u00e2\u20ac\u2122s WannaCry outbreak (https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread."
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b951-4e0c-43af-96a9-4d8b02de0b81",
|
|
"value": "https://blogs.forcepoint.com/security-labs/deja-vu-petya-ransomware-appears-smb-propagation-capabilities"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "orcepoint Security Labs has analysed one sample associated with the outbreak",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5952b96c-d99c-4a1c-bbd7-4bf802de0b81",
|
|
"value": "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b995-7028-4073-bd6b-10ed02de0b81",
|
|
"value": "http://www.ad.nl/rotterdam/grote-hack-bij-maersk-legt-rotterdamse-containerterminal-plat~a60dd307/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b995-7fd8-4b6e-8c34-10ed02de0b81",
|
|
"value": "https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b995-7480-46b3-b11a-10ed02de0b81",
|
|
"value": "https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b995-2c9c-4ad0-a55b-10ed02de0b81",
|
|
"value": "https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012"
|
|
},
|
|
{
|
|
"category": "Financial fraud",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": true,
|
|
"type": "btc",
|
|
"uuid": "5952b9a4-f444-4b57-a179-10e402de0b81",
|
|
"value": "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5952b9cc-63e4-4af1-899f-49b502de0b81",
|
|
"value": "34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5952b9cc-d418-44c1-a185-462502de0b81",
|
|
"value": "71b6a493388e7d0b40c83ce903bc6b04"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "orcepoint Security Labs has analysed one sample associated with the outbreak - Xchecked via VT: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1498593740",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5952b9cc-0848-4d44-bfac-495302de0b81",
|
|
"value": "https://www.virustotal.com/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/1498592986/"
|
|
}
|
|
]
|
|
}
|
|
} |