2023-12-14 13:47:04 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2023-12-06" ,
"extends_uuid" : "" ,
"info" : "MAR-10478915-1.v1 Citrix Bleed" ,
"publish_timestamp" : "1701849510" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1701849487" ,
"uuid" : "124008c0-e519-4f1d-b1fd-bd42bfae2198" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:clear" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument. The output is printed to a file named 'z.txt' located in the path C:\\Windows\\Tasks. Next, a.bat pings the loop back internet protocol (IP) address 127.0.0[.]1 three times. \r\n\r\nThe next command it runs is reg save to save the HKLM\\SYSTEM registry hive into the C:\\Windows\\tasks\\em directory. Again, a.bat pings the loop back address 127.0.0[.]1 one time before executing another reg save command and saves the HKLM\\SAM registry hive into the C:\\Windows\\Task\\am directory. Next, a.bat runs three makecab commands to create three Cabinet (.cab) files from the previously mentioned saved registry hives and one file named C:\\Users\\Public\\a.png. The names of the .cab files are as follows:\r\n\r\n--Start names and paths of .cab files created--\r\nc:\\windows\\tasks\\em.cab\r\nc:\\windows\\tasks\\am.cab\r\nc:\\windows\\tasks\\a.cab\r\n--End names and paths of .cab files created--" ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2023-11-16T14:40:15.681862+00:00" ,
"timestamp" : "1695739347" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5c12b30f-2ece-411a-a2b6-905006a34587" ,
"value" : "'namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_01 rule_content=rule CISA_10478915_01 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_Type = \"trojan\"\n\t\ttool_type = \"information-gathering\"\n\t\tdescription = \"Detects trojan .bat samples\"\n\t\tsha256 = \"98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9\"\n\tstrings:\n\t\t$s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 }\n\t\t$s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6d 5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d }\n\t\t$s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 }\n\tcondition:\n\t\tall of them\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console." ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2023-11-16T14:40:15.718020+00:00" ,
"timestamp" : "1695739347" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "84aeb797-4299-4ef7-b7ae-57f916ee5721" ,
"value" : "'namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_02 rule_content=rule CISA_10478915_02 : trojan installs_other_components\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"installs-other-components\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"unknown\"\n\t\tdescription = \"Detects trojan PE32 samples\"\n\t\tsha256 = \"e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068\"\n\tstrings:\n\t\t$s1 = { 57 72 69 74 65 46 69 6c 65 }\n\t\t$s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 }\n\t\t$s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 }\n\t\t$s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 }\n\t\t$s5 = { 64 65 6c 65 74 65 5b 5d }\n\t\t$s6 = { 4e 41 4e 28 49 4e 44 29 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.imphash() == \"6e8ca501c45a9b85fff2378cffaa24b2\" and pe.size_of_code == 84480 and all of them\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path C:\\Users\\Public.\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path C:\\Windows\\Tasks." ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2023-11-16T14:40:15.777680+00:00" ,
"timestamp" : "1695739347" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "f6384914-d773-4d7e-b9ed-e1838371c145" ,
"value" : "'namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_03 rule_content=rule CISA_10478915_03 : trojan steals_authentication_credentials credential_exploitation\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"steals-authentication-credentials\"\n\t\tmalware_type = \"trojan\"\n\t\ttool_type = \"credential-exploitation\"\n\t\tdescription = \"Detects trojan DLL samples\"\n\t\tsha256 = \"17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994\"\n\tstrings:\n\t\t$s1 = { 64 65 6c 65 74 65 }\n\t\t$s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e }\n\t\t$s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 }\n\t\t$s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 }\n\t\t$s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 }\n\t\t$s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 }\n\tcondition:\n\t\tuint16(0) == 0x5a4d and pe.subsystem == pe.SUBSYSTEM_WINDOWS_CUI and pe.size_of_code == 56832 and all of them\n}"
} ,
{
"category" : "Payload installation" ,
"comment" : "This file is a Python script called a.py that attempts to leverage WinRM to establish a session. The script attempts to authenticate to the remote machine using NT LAN Manager (NTLM) if the keyword \"hashpasswd\" is present. If the keyword \"hashpasswd\" is not present, then the script attempts to authenticate using basic authentication. Once a WinRM session is established with the remote machine, the script has the ability to execute command line arguments on the remote machine. If there is no command specified, then a default command of \u201cwhoami\u201d is run." ,
"deleted" : false ,
"disable_correlation" : false ,
"first_seen" : "2023-11-16T14:40:15.805722+00:00" ,
"timestamp" : "1695739347" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e9f069da-febc-449d-b923-22793ec3f067" ,
"value" : "'namespace'='CISA_Consolidated.yara' rule_name=CISA_10478915_04 rule_content=rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access\n{\n\tmeta:\n\t\tauthor = \"CISA Code & Media Analysis\"\n\t\tincident = \"10478915\"\n\t\tdate = \"2023-11-06\"\n\t\tlast_modified = \"20231108_1500\"\n\t\tactor = \"n/a\"\n\t\tfamily = \"n/a\"\n\t\tcapabilities = \"communicates-with-c2\"\n\t\tmalware_type = \"backdoor\"\n\t\ttool_type = \"remote-access\"\n\t\tdescription = \"Detects trojan python samples\"\n\t\tsha256 = \"906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6\"\n\tstrings:\n\t\t$s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } \n\t\t$s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a }\n\t\t$s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 }\n\t\t$s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 }\n\tcondition:\n\t\tall of them\n}"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "dd1e10de-b0f8-4bcf-861b-76fe980f055e" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "dd1e10de-b0f8-4bcf-861b-76fe980f055e" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "474accde-9613-4db5-9b81-bbd8ef977b21"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e56e4026-c332-4ac6-a9f1-c184a5224c56" ,
"value" : "antiy"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "1340405c-0885-4eda-8eab-39e03ad3790d" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "af1bcb04-85d6-4f4e-9422-0599d9c7a43f" ,
"value" : "Trojan/Win64.Malgent"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1695739347" ,
"uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
"referenced_uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "sample-of" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "08e986ee-eb3d-4c38-b357-a3275fc0d41f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c60ceff4-f5b3-4dfb-88aa-48b6716cf573" ,
"value" : "37f7241963cf8279f7c1d322086a5194"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0d04f15b-9934-4813-95d0-7f5b91e489de" ,
"value" : "ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "69744516-52c9-4807-8779-5276f4c07b72" ,
"value" : "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "61eb4a91-cdaa-46a5-97db-ac9863d4f756" ,
"value" : "02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "9fcb720b-cd58-410f-87c3-eeb4754e6fec" ,
"value" : "3072:u8txkT6wDLf/p3ufznQbCQVlvxxV5hmWIh:NgpDbZufLQpjxJ9U"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "3c1ce1f8-272f-48d5-9752-956be5b5e8a2" ,
"value" : "a.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "969e43c3-50db-4039-b95a-3ee63c96c615" ,
"value" : "145920"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "a78aa17d-3dd4-483f-ba12-ca977debbc3b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a78aa17d-3dd4-483f-ba12-ca977debbc3b" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "4d9801ac-9713-406e-ac91-5e3f3c280911"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3719ef1f-9874-4eba-afff-cf4ec794bb84" ,
"value" : "avira"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "27afc559-0f7f-45e2-b7ab-2287e46e7939" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c32e41c8-f249-44b2-82dd-0f0c091cf8c3" ,
"value" : "TR/Redcap.sbphc"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "9f5db9a7-9ef7-44f8-9189-553c2cc276f5" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "9f5db9a7-9ef7-44f8-9189-553c2cc276f5" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "5f7b216d-91e8-4bf7-be08-fd6911cb893f"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2b5e1307-de50-49ce-92d3-fb1ef2eed196" ,
"value" : "bitdefender"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "93d920e2-229a-49f9-b42c-e1aa84ac7d02" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "188ed091-b1be-4805-8bda-4b8fcdda14c3" ,
"value" : "Trojan.GenericKD.70103917"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "c2abd168-d969-4160-b427-dacaf686f65e" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "c2abd168-d969-4160-b427-dacaf686f65e" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "870656a4-7651-4ab2-8378-156e365cc5ee"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6d74d82f-4588-41b8-9e70-e50413c5e559" ,
"value" : "emsisoft"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "73ea4713-bfb3-4502-8e2d-2647e5bed92f" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "136a18fc-ea48-465e-b960-9db4d00cb2e4" ,
"value" : "Trojan.GenericKD.70103917 (B)"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "4b0f18bd-e09a-408d-9d36-415ca54ad600" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "4b0f18bd-e09a-408d-9d36-415ca54ad600" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "08c2826a-c3dd-4ccc-9cb5-e0b9000e230a"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "1386b0be-1993-4a66-86a5-09999b28b9ac" ,
"value" : "ikarus"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "094a9625-2213-45d2-a517-13e4af80e0fd" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "1a697bc2-84bd-456d-91ae-5a0d7fc7e66a" ,
"value" : "Trojan.Win64.Malgent"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "5e485e81-7e00-42d7-9fc3-5c08690e9206" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5e485e81-7e00-42d7-9fc3-5c08690e9206" ,
"referenced_uuid" : "49552673-c8ea-50b9-a196-4663a33bfae8" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "26804dfd-6a94-47ad-9831-d971939f9b8a"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c249117-0ae0-4e4b-9343-60046af8f7b3" ,
"value" : "k7"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ca34df49-20cb-4d20-aa7f-897240cff51d" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e9cc610a-d65e-46b3-9abf-462597ba1b15" ,
"value" : "Riskware ( 00584baa1 )"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware is a type of TTP that represents malicious code." ,
"meta-category" : "misc" ,
"name" : "malware" ,
"template_uuid" : "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"referenced_uuid" : "272aca0e-f758-5014-b7e6-75a0305837d5" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "57fa305c-8a11-4b48-84f9-8c3d151f7503"
} ,
{
"comment" : "" ,
"object_uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
"referenced_uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "9891bf14-bde7-41b8-9224-54c77aee6e43"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b8d927d5-bf1d-4875-935a-f27eceb11bc8" ,
"value" : "This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat. This file issues the Remote Procedure Call (RPC) ncalrpc:[lsasspirpc] to the RPC end point to provide a file path to the LSASS on the infected machine. Once the file path is returned, the malware loads the accompanying DLL file called a.dll into the running LSASS process. If the DLL is correctly loaded, then the malware outputs the message \"[*]success\" in the console."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "is_family" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "boolean" ,
"uuid" : "c41d1151-7227-43e8-8582-0ecd9b86ef85" ,
"value" : "0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "malware_type" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8899c605-306d-417c-970d-dfc5a3ec733c" ,
"value" : "trojan"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"first_seen" : "2023-11-16T14:40:15.726853+00:00" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1695739347" ,
"uuid" : "d9f8b89d-305b-4e39-89cc-aad2f4a4a9a1" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c1438128-eb9e-4d9d-8dd2-4c251c24ff27" ,
"value" : "37f7241963cf8279f7c1d322086a5194"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "c597584a-c954-4ee4-be51-09537587bc07" ,
"value" : "ec401ae8ddebef4038cedb65cc0d5ba6c1fdef28"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "4eaa3bac-d5ec-4cab-9537-5588a58c5113" ,
"value" : "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "ace164ad-0f52-42eb-a0a8-17a986a5b1d1" ,
"value" : "02c2473b90ba787fea41a9840c7dc9a9869685ca8fdca3521278e0cc986e1797e36552f41f1ac206f5ec5bdc0ac40f13cd36217aea3aad13518e9764ea92c1f7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "a13bb548-ac3e-49d3-a5e2-a171d5bc2b43" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a13bb548-ac3e-49d3-a5e2-a171d5bc2b43" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "13ca223d-bb27-4844-b713-a4d424f84bf4"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "de6ded26-c0d2-4867-87ef-3bf9858fb5a1" ,
"value" : "antiy"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a4b10d9b-0820-4db6-b8cb-6ff557deafaf" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6a08a2a6-8d6f-42a9-b3a6-04127c8d17f5" ,
"value" : "Trojan/Win64.Agent"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1695739347" ,
"uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
"referenced_uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "sample-of" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "2e0d3efc-24d7-4c0c-a24c-77e2521bab0f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "baa9989f-5899-4f4e-bb9b-eebaca1247bc" ,
"value" : "206b8b9624ee446cad18335702d6da19"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "c6ee3b64-1caf-4f47-a9df-167b24bf55cd" ,
"value" : "364ef2431a8614b4ef9240afa00cd12bfba3119b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "3f81c550-10bd-462f-a5b4-92d9818f1e19" ,
"value" : "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "25f5f0ac-f62b-4635-8632-963162b2d4f1" ,
"value" : "efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "13c42028-44eb-4000-991a-1823506117ec" ,
"value" : "3072:oCNLoO2N+p5Fm6nfZvD8sLVdN9dtFiokDFMYLcu:j1o/+34YRvDtFiwu"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "2dfa6218-8672-41b7-89d2-0e5da8f8b131" ,
"value" : "a.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "ce7b8892-31d7-4cf5-af69-b798b4b20f9e" ,
"value" : "106496"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "d5260841-3693-4b4e-b3f8-bffccc184799" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "d5260841-3693-4b4e-b3f8-bffccc184799" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "de9aa7f0-4b32-4887-b1f4-8ee822c28d03"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "175ea164-a465-4ea5-9ebb-43d50975ab17" ,
"value" : "bitdefender"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "56987a54-4a92-461b-a1fa-7ac580f82386" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ef81de8d-8237-4166-aa79-2d008cd5c687" ,
"value" : "Trojan.GenericKD.70057986"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "5f447be4-9408-4da0-be20-a0a8ef7a2d5b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5f447be4-9408-4da0-be20-a0a8ef7a2d5b" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "5e8ec4e4-34d1-4159-9cab-84ec9c4b586e"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f2795ce7-a785-4b2f-9118-f2d061dd366c" ,
"value" : "eset"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "94857e60-ef39-4849-ba72-27c5896ce23d" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b864d2b9-1b43-43af-9d8d-1b7ec4602c5d" ,
"value" : "a variant of Win64/Agent.DAU trojan"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "d7c20040-9114-4709-b609-d1f230198e1f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "d7c20040-9114-4709-b609-d1f230198e1f" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "6b62123d-b948-4b95-b41f-e1e59bf2800c"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5e7db3af-a26c-4fb6-823a-33bf14ebea55" ,
"value" : "emsisoft"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c0bedb4e-8f70-4ffa-a32e-ed12033e3586" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4c29d389-c8f3-42b1-9bc3-63c9264dfef9" ,
"value" : "Trojan.GenericKD.70057986 (B)"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "ac013608-5fc8-4eb4-93db-82e071ee002b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "ac013608-5fc8-4eb4-93db-82e071ee002b" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "478d7b28-96c9-4e55-ab3a-c0e0404e1bd9"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b2c7f3a1-a4c1-4e92-ad00-48911fc951bd" ,
"value" : "ikarus"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6bd79472-5c1a-4d8f-b32e-ea3cea81ad4b" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "510a5a69-3a9d-492c-bf30-76076efb9223" ,
"value" : "Trojan.Win64.Agent"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "440260c8-b268-471d-af38-b90279d8cd13" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "440260c8-b268-471d-af38-b90279d8cd13" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "400a6221-af2a-432e-b8d0-41f9fd8d7c45"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "423d5543-727a-436a-9e19-93fb8c4e9d16" ,
"value" : "k7"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "74d83513-4a59-4a64-9ba3-2b23e87e8372" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f1a22b3d-065d-415c-9043-a471caeb9ac7" ,
"value" : "Trojan ( 005ad67a1 )"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family." ,
"meta-category" : "misc" ,
"name" : "malware-analysis" ,
"template_uuid" : "8229ee82-7218-4ff5-9eac-57961a6f0288" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "47c9fa88-b331-4b2e-86e2-64282aab3fe6" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "47c9fa88-b331-4b2e-86e2-64282aab3fe6" ,
"referenced_uuid" : "e2e1a9d3-1363-51a8-a780-23f78f8c917a" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "analyses" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "c71048c0-4fa4-4861-b51e-3ab7c1eaaf1a"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "product" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d6a5488c-de7b-401b-b173-5468b4cbc8c8" ,
"value" : "zillya"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "result" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "faf62d2a-a099-46e6-a11e-e06dfe9bea98" ,
"value" : "unknown"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "result_name" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "03b42e19-53cc-4129-8d59-b2030e4e7f3f" ,
"value" : "Trojan.Agent.Win64.39686"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Malware is a type of TTP that represents malicious code." ,
"meta-category" : "misc" ,
"name" : "malware" ,
"template_uuid" : "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d" ,
"template_version" : "1" ,
"timestamp" : "1695739347" ,
"uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"referenced_uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "9a159d2e-932c-4596-b18b-0fde3357cecc"
} ,
{
"comment" : "" ,
"object_uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
"referenced_uuid" : "272aca0e-f758-5014-b7e6-75a0305837d5" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "86d2e878-7c6b-4bb8-9854-1c0e567a4578"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c1efdcae-341a-4853-bfe8-8afd18768fab" ,
"value" : "This file is a 64-bit Windows DLL called a.dll that is executed by a.bat as a parameter for the file a.exe. The file a.exe loads this file into the running LSASS process on the infected machine. The file a.dll calls the Windows API CreateFileW to create a file called a.png in the path %PUBLIC%\\\r\n\r\nNext, a.dll loads DbgCore.dll then utilizes MiniDumpWriteDump function to dump LSASS process memory to disk. If successful, the dumped process memory is written to a.png. Once this is complete, the file a.bat specifies that the file a.png is used to create the cabinet file called a.cab in the path %WINDIR%\\Tasks."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "is_family" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "boolean" ,
"uuid" : "cfd418f1-654f-4bcd-abde-468a9a45f286" ,
"value" : "0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "malware_type" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "aefb1011-3950-4b71-baff-f2f8fd37f8fb" ,
"value" : "trojan"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"first_seen" : "2023-11-16T14:40:15.784715+00:00" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1695739347" ,
"uuid" : "a2ed1e76-995c-4ac2-96f3-361a818d7bf8" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "0112fb48-2a64-4c24-b334-558ff9ee132a" ,
"value" : "206b8b9624ee446cad18335702d6da19"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "48d0c17a-9738-4af1-bb5c-b002cd609e2c" ,
"value" : "364ef2431a8614b4ef9240afa00cd12bfba3119b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1565e260-66fa-49b7-afc5-fcea1f7149d0" ,
"value" : "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "32d28d2e-663b-45c9-bcb6-36f7f98b8dd2" ,
"value" : "efa720237bd2773719d7f8e377f63f93d25a691a6f2b8f52ff9ecbd1495c215690d01400d8b7fd9bb79b47de09817d72c82676b67ed70ecf61b002c7d8e9e11d"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1701849221" ,
"uuid" : "272aca0e-f758-5014-b7e6-75a0305837d5" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "272aca0e-f758-5014-b7e6-75a0305837d5" ,
"referenced_uuid" : "eb408b5c-09b1-449c-9125-d451a8c4ae0d" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849221" ,
"uuid" : "7b0ae697-09f1-4a14-9000-2f377ad192ac"
} ,
{
"comment" : "" ,
"object_uuid" : "272aca0e-f758-5014-b7e6-75a0305837d5" ,
"referenced_uuid" : "a1e53fea-9148-4c25-b1c7-da233d87c930" ,
2023-12-14 13:47:04 +00:00
"relationship_type" : "related-to" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1701849222" ,
"uuid" : "bbefa059-52c0-41c5-adb5-bd69635b01ee"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "09610b1a-e567-4260-b348-6aa175c82f82" ,
"value" : "52d5e2a07cd93c14f1ba170e3a3d6747"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "acf08273-60aa-4c6c-b2ba-b07fd61a5a69" ,
"value" : "8acaf9908229871ab33033df7b6a328ec1db56d5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b5530f26-fc8c-4f95-9a04-831e52bfd602" ,
"value" : "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "676c44c9-1c89-4508-936b-7a32e1ec7e52" ,
"value" : "317414f28d34f8295aa76cf9f39d4fd42c9bad292458dbd2a19f08a6a8b451e271179b7ef78afd8a2fe92a2e1103d9ef5e220557febf42d91900c268b8d61b69"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "2a93990a-ba38-44d9-af1b-b35f164be369" ,
"value" : "6:halw5fwmUDXSLp8k7KdXSLp8kukK7va2RK4HvEEIVpmYY:sMULS98QAS98kuZ7XPcK3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "b0543ac4-0c91-4f51-b24e-f2faa0bd0dea" ,
"value" : "a.bat"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "ac07e68f-e4d3-4456-8426-c2c5d788e04e" ,
"value" : "376"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1701849221" ,
"uuid" : "e5ef55cc-e9d8-585e-baf5-4bebebe966a3" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "124b303f-af48-49a3-af02-6858a1a4c03d" ,
"value" : "9cff554fa65c1b207da66683b295d4ad"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "254372cd-92e6-4151-af8f-0e9d3353fc32" ,
"value" : "b8e74921d7923c808a0423e6e46807c4f0699b6e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8a9b36f3-6f8f-4032-a238-883d9d2980c6" ,
"value" : "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha512" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "sha512" ,
"uuid" : "99e7facb-7848-489d-a7a7-9c9f0662c18c" ,
"value" : "131621770e1899d81e6ff312b3245fe4e4013c36f82818a82fdd319982e6b742a72d906b6fb86c422bb720cd648f927b905a8fc193299ad7d8b3947e766abbd3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ssdeep" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "ssdeep" ,
"uuid" : "12496ccf-dbf3-4301-baca-7e2def90b236" ,
"value" : "48:BpsnUP6s3ceBg5YbFYNXEtUyzzYyUyh0+FVzYA6P+Fqbaug9trYhTHhIQG86w09:BuUP6sseBIOqXEvpcrb89Z2THCQ6P"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1701849221" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "a7279be8-becb-4468-a1eb-077c378d0373" ,
"value" : "a.py"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1701849221" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "d6453cef-cda4-4add-9d28-6b9c3a8ab18b" ,
"value" : "2645"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing the original file used to import data in MISP." ,
"meta-category" : "file" ,
"name" : "original-imported-file" ,
"template_uuid" : "4cd560e9-2cfe-40a1-9964-7b2e797ecac5" ,
"template_version" : "2" ,
"timestamp" : "1701849261" ,
"uuid" : "768b3de5-0693-4cf1-9ee9-14d49bb338dd" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " e w o g I C A g I n R 5 c G U i O i A i Y n V u Z G x l I i w K I C A g I C J p Z C I 6 I C J i d W 5 k b G U t L T Z i O D V j M D c 2 L W U z N D I t N D I y N y 1 i O G M 3 L T E 1 Z G V l Y j k y Z j I 3 N y I s C i A g I C A i b 2 J q Z W N 0 c y I 6 I F s K I C A g I C A g I C B 7 C i A g I C A g I C A g I C A g I C J 0 e X B l I j o g I m l k Z W 50 a X R 5 I i w K I C A g I C A g I C A g I C A g I n N w Z W N f d m V y c 2 l v b i I 6 I C I y L j E i L A o g I C A g I C A g I C A g I C A i a W Q i O i A i a W R l b n R p d H k t L T h l M T E y Z T c y L W F h O G Y t N D E 5 M C 1 h M z U 5 L T I 4 Y T l h Y m F l M j g 5 N i I s C i A g I C A g I C A g I C A g I C J j c m V h d G V k X 2 J 5 X 3 J l Z i I 6 I C J p Z G V u d G l 0 e S 0 t N D J h Y z N j O T I t N j B k M i 0 0 M T h m L W J h O G U t O D M 4 O T Q 0 Z T Y x M T B i I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W Q i O i A i M j A y M y 0 w N C 0 x M l Q x N z o 1 M z o w O S 42 N D Z a I i w K I C A g I C A g I C A g I C A g I m 1 v Z G l m a W V k I j o g I j I w M j M t M D Q t M T J U M T c 6 N T M 6 M D k u N j Q 2 W i I s C i A g I C A g I C A g I C A g I C J u Y W 1 l I j o g I k d l b W l u a V B y b 2 R 1 Y 3 R p b 25 f Q 0 1 B I i w K I C A g I C A g I C A g I C A g I m R l c 2 N y a X B 0 a W 9 u I j o g I k N 5 Y m V y c 2 V j d X J p d H k g Y W 5 k I E l u Z n J h c 3 R y d W N 0 d X J l I F N l Y 3 V y a X R 5 I E F n Z W 5 j e S B Q c m 9 k d W N 0 a W 9 u I E l k Z W 50 a X R 5 L i B D b 2 R l I G F u Z C B N Z W R p Y S B B b m F s e X N p c y 4 i L A o g I C A g I C A g I C A g I C A i a W R l b n R p d H l f Y 2 x h c 3 M i O i A i c 3 l z d G V t I i w K I C A g I C A g I C A g I C A g I m N v b m Z p Z G V u Y 2 U i O i A x M D A s C i A g I C A g I C A g I C A g I C J s Y W 5 n I j o g I m V u I i w K I C A g I C A g I C A g I C A g I m 9 i a m V j d F 9 t Y X J r a W 5 n X 3 J l Z n M i O i B b C i A g I C A g I C A g I C A g I C A g I C A i b W F y a 2 l u Z y 1 k Z W Z p b m l 0 a W 9 u L S 1 i Y W I 0 Y T Y z Y y 1 h Z W Q 5 L T R j Z j U t Y T c 2 N i 1 k Z m N h N W F i Y W M y Y m I i C i A g I C A g I C A g I C A g I F 0 K I C A g I C A g I C B 9 L A o g I C A g I C A g I H s K I C A g I C A g I C A g I C A g I n R 5 c G U i O i A i Z m l s Z S I s C i A g I C A g I C A g I C A g I C J z c G V j X 3 Z l c n N p b 24 i O i A i M i 4 x I i w K I C A g I C A g I C A g I C A g I m l k I j o g I m Z p b G U t L T I 3 M m F j Y T B l L W Y 3 N T g t N T A x N C 1 i N 2 U 2 L T c 1 Y T A z M D U 4 M z d k N S I s C i A g I C A g I C A g I C A g I C J o Y X N o Z X M i O i B 7 C i A g I C A g I C A g I C A g I C A g I C A i T U Q 1 I j o g I j U y Z D V l M m E w N 2 N k O T N j M T R m M W J h M T c w Z T N h M 2 Q 2 N z Q 3 I i w K I C A g I C A g I C A g I C A g I C A g I C J T S E E t M S I 6 I C I 4 Y W N h Z j k 5 M D g y M j k 4 N z F h Y j M z M D M z Z G Y 3 Y j Z h M z I 4 Z W M x Z G I 1 N m Q 1 I i w K I C A g I C A g I C A g I C A g I C A g I C J T S E E t M j U 2 I j o g I j k 4 Z T c 5 Z j k 1 Y 2 Y 4 Z G U 4 Y W N l O D h i Z j I y M z Q y M W R i N W R j Z T M w M 2 I x M T I x N T J k N j Z m Z m R m M j d l Y m R m Y 2 R m O T Y 3 Z T k i L A o g I C A g I C A g I C A g I C A g I C A g I l N I Q S 0 1 M T I i O i A i M z E 3 N D E 0 Z j I 4 Z D M 0 Z j g y O T V h Y T c 2 Y 2 Y 5 Z j M 5 Z D R m Z D Q y Y z l i Y W Q y O T I 0 N T h k Y m Q y Y T E 5 Z j A 4 Y T Z h O G I 0 N T F l M j c x M T c 5 Y j d l Z j c 4 Y W Z k O G E y Z m U 5 M m E y Z T E x M D N k O W V m N W U y M j A 1 N T d m Z W J m N D J k O T E 5 M D B j M j Y 4 Y j h k N j F i N j k i L A o g I C A g I C A g I C A g I C A g I C A g I l N T R E V F U C I 6 I C I 2 O m h h b H c 1 Z n d t V U R Y U 0 x w O G s 3 S 2 R Y U 0 x w O G t 1 a 0 s 3 d m E y U k s 0 S H Z F R U l W c G 1 Z W T p z T V V M U z k 4 U U F T O T h r d V o 3 W F B j S z M i C i A g I C A g I C A g I C A g I H 0 s C i A g I C A g I C A g I C A g I C J z a X p l I j o g M z c 2 L A o g I C A g I C A g I C A g I C A i b m F t Z S I 6 I C J h L m J h d C I s C i A g I C A g I C A g I C A g I C J v Y m p l Y 3 R f b W F y a 2 l u Z 19 y Z W Z z I j o g W w o g I C A g I C A g I C A g I C A g I C A g I m 1 h c m t p b m c t Z G V m a W 5 p d G l v b i 0 t O T Q 4 N j h j O D k t O D N j M i 0 0 N j R i L T k y O W I t Y T F h O G F h M 2 M 4 N D g 3 I g o g I C A g I C A g I C A g I C B d C i A g I C A g I C A g f S w K I C A g I C A g I C B 7 C i A g I C A g I C A g I C A g I C J 0 e X B l I j o g I m l u Z G l j Y X R v c i I s C i A g I C A g I C A g I C A g I C J z c G V j X 3 Z l c n N p b 24 i O i A i M i 4 x I i w K I C A g I C A g I C A g I C A g I m l k I j o g I m l u Z G l j Y X R v c i 0 t N W M x M m I z M G Y t M m V j Z S 0 0 M T F h L W E y Y j Y t O T A 1 M D A 2 Y T M 0 N T g 3 I i w K I C A g I C A g I C A g I C A g I m N y Z W F 0 Z W R f Y n l f c m V m I j o g I m l k Z W 50 a X R 5 L S 0 4 Z T E x M m U 3 M i 1 h Y T h m L T Q x O T A t Y T M 1 O S 0 y O G E 5 Y W J h Z T I 4 O T Y i L A o g I C A g I C A g I C A g I C A i Y 3 J l Y X R l Z C I 6 I C I y M D I z L T A 5 L T I 2 V D E 0 O j Q y O j I 3 L j A w M F o i L A o g I C A g I C A g I C A g I C A i b W 9 k a W Z p Z W Q i O i A i M j A y M y 0 w O S 0 y N l Q x N D o 0 M j o y N y 4 w M D B a I i w K I C A g I C A g I C A g I C A g I m 5 h b W U i O i A i Y S 5 i Y X Q i L A o g I C A g I C A g I C A g I C A i b 2 J q Z W N 0 X 21 h c m t p b m d f c m V m c y I 6 I F s K I C A g I C A g I C A g I C A g I C A g I C J t Y X J r a W 5 n L W R l Z m l u a X R p b 24 t L T k 0 O D Y 4 Y z g 5 L T g z Y z I t N D Y 0 Y i 0 5 M j l i L W E x Y T h h Y T N j O D Q 4 N y I K I C A g I C A g I C A g I C A g X S w K I C A g I C A g I C A g I C A g I m R l c 2 N y a X B 0 a W 9 u I j o g I l R o a X M g Z m l s Z S B p c y B h I F d p b m R v d 3 M g Y m F 0 Y 2 g g Z m l s Z S B j Y W x s Z W Q g Y S 5 i Y X Q g d G h h d C B p c y B 1 c 2 V k I H R v I G V 4 Z W N 1 d G U g d G h l I G Z p b G U g Y 2 F s b G V k I G E u Z X h l I H d p d G g g d G h l I G Z p b G U g Y 2 F s b G V k I G E u Z G x s I G F z I G F u I G F y Z 3 V t Z W 50 L i A g V G h l I G 91 d H B 1 d C B p c y B w c m l u d G V k I H R v I G E g Z m l s Z S B u Y W 1 l Z C A n e i 50 e H Q n I G x v Y 2 F 0 Z W Q g a W 4 g d G h l I H B h d G g g Q z p c X F d p b m R v d 3 N c X F R h c 2 t z L i A g T m V 4 d C w g Y S 5 i Y X Q g c G l u Z 3 M g d G h l I G x v b 3 A g Y m F j a y B p b n R l c m 5 l d C B w c m 90 b 2 N v b C A o S V A p I G F k Z H J l c 3 M g M T I 3 L j A u M F s u X T E g d G h y Z W U g d G l t Z X M u I F x y X G 5 c c l x u V G h l I G 5 l e H Q g Y 29 t b W F u Z C B p d C B y d W 5 z I G l z I H J l Z y B z Y X Z l I H R v I H N h d m U g d G h l I E h L T E 1 c X F N Z U 1 R F T S B y Z W d p c 3 R y e S B o a X Z l I G l u d G 8 g d G h l I E M 6 X F x X a W 5 k b 3 d z X F x 0 Y X N r c 1 x c Z W 0 g Z G l y Z W N 0 b 3 J 5 L i A g Q W d h a W 4 s I G E u Y m F 0 I H B p b m d z I H R o Z S B s b 29 w I G J h Y 2 s g Y W R k c m V z c y A x M j c u M C 4 w W y 5 d M S B v b m U g d G l t Z S B i Z W Z v c m U g Z X h l Y 3 V 0 a W 5 n I G F u b 3 R o Z X I g c m V n I H N h d m U g Y 29 t b W F u Z C B h b m Q g c 2 F 2 Z X M g d G h l I E h L T E 1 c X F N B T S B y Z W d p c 3 R y e S B o a X Z l I G l u d G 8 g d G h l I E M 6 X F x X a W 5 k b 3 d z X F x U Y X N r X F x h b S B k a X J l Y 3 R v c n k u I C B O Z X h 0 L C B h L m J h d C B y d W 5 z I H R o c m V l I G 1 h a 2 V j Y W I g Y 29 t b W F u Z H M g d G 8 g Y 3 J l Y X R l I H R o c m V l I E N h Y m l u Z X Q g K C 5 j Y W I p I G Z p b G V z I G Z y b 20 g d G h l I H B y Z X Z p b 3 V z b H k g b W V u d G l v b m V k I H N h d m V k I H J l Z 2 l z d H J 5 I G h p d m V z I G F u Z C B v b m U g Z m l s Z S B u Y W 1 l Z C B D O l x c V X N l c n N c X F B 1 Y m x p Y 1 x c Y S 5 w b m c u I C B U a G U g b m F t Z X M g b 2 Y g d G h l I C 5 j Y W I g Z m l s Z X M g Y X J l I G F z I G Z v b G x v d 3 M 6 X H J c b l x y X G 4 t L V N 0 Y X J 0 I G 5 h b W V z I G
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "imported-sample" ,
"timestamp" : "1701849261" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "611ece1d-d27b-4277-b483-9bbf62e8bcd8" ,
"value" : "MAR-10478915.r1.v1.CLEAR_stix2.json"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "format" ,
"timestamp" : "1701849261" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "43ab5514-2e2c-428f-8155-b301232a2e14" ,
"value" : "STIX 2.1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1701849458" ,
"uuid" : "335344d0-7470-4ab8-a1ba-6d5e7474bacb" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1701849458" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "70f27681-b669-4b90-bed0-79d7100828a8" ,
"value" : "https://www.cisa.gov/news-events/analysis-reports/ar23-325a"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1701849458" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d6e0cd97-4c9f-47d6-be1c-508fa062fca8" ,
"value" : "Responding to the recently disclosed CVE-2023-4966, affecting Citrix NetScaler ADC and NetScaler Gateway appliances, CISA received four files for analysis that show files being used to save registry hives, dump the Local Security Authority Subsystem Service (LSASS) process memory to disk, and attempts to establish sessions via Windows Remote Management (WinRM). The files include:\r\n\r\n Windows Batch file (.bat)\r\n Windows Executable (.exe)\r\n Windows Dynamic Link Library (.dll)\r\n Python Script (.py)\r\n\r\nFor more information about this vulnerability, see Joint Cybersecurity Advisory #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " J V B E R i 0 x L j Y N J e L j z 9 M N C j k w I D A g b 2 J q D T w 8 L 0 x p b m V h c m l 6 Z W Q g M S 9 M I D U 2 M D Q 3 M C 9 P I D k y L 0 U g M j k 2 M j U x L 0 4 g O C 9 U I D U 2 M D A 5 M i 9 I I F s g N D g 2 I D I 2 M V 0 + P g 1 l b m R v Y m o N I C A g I C A g I C A g I C A g I C A g I A 0 x M D g g M C B v Y m o N P D w v R G V j b 2 R l U G F y b X M 8 P C 9 D b 2 x 1 b W 5 z I D U v U H J l Z G l j d G 9 y I D E y P j 4 v R m l s d G V y L 0 Z s Y X R l R G V j b 2 R l L 0 l E W z x D N k E 3 N z E 3 R U E 3 N T B C R E Q 5 M D k 4 N j g 5 M j l D N D Y 5 R j I w M z 48 Q z Y 4 R D N G N 0 M 2 N D I z N E N D R E F E M T g 4 M z Z F Q j A y M k Y y O T Q + X S 9 J b m R l e F s 5 M C A y O F 0 v T G V u Z 3 R o I D k 2 L 1 B y Z X Y g N T Y w M D k z L 1 J v b 3 Q g O T E g M C B S L 1 N p e m U g M T E 4 L 1 R 5 c G U v W F J l Z i 9 X W z E g M y A x X T 4 + c 3 R y Z W F t D Q p o 3 m J i Z G A Q Y G B i Y G C 6 D S I Z 9 U E k w 3 Y Q y e I O I p k r w a Q O W M Q f r P I l W I Q L L L I C z N 4 M J B l f H A f L 8 o P I / D A Q q a Q I I r k n g 8 i g P U D y P 3 c d A x P Q R r A J Q N u I I v 8 z M H b + B A g w A L 0 e D y E N Z W 5 k c 3 R y Z W F t D W V u Z G 9 i a g 1 z d G F y d H h y Z W Y N M A 0 l J U V P R g 0 g I C A g I C A g I C A N M T E 3 I D A g b 2 J q D T w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g M T g 1 L 1 M g M T U 3 P j 5 z d H J l Y W 0 N C m j e Y m B g Y G Z g Y B J l Y G F g E A 9 n E G Z A A G G g G C s Q c 1 w Q E F D o j X R g j p F 7 y W C 48 O 42 B g Z B + w j W a 5 n T Z s 4 E K m N S n C J 0 d W d j j 8 q 0 t W e 4 I r a b G P X A u T y J K l v z E l I l V F c X M 7 B 3 d D A w V H Q 0 u L h 3 d M D Y S u o d H S w u Q A Z I F o s N Q N O l G D j a f g N p A b C D Q G A 7 g x C Q 1 G T g 5 m A q Z V j G o K z A 6 c P 0 k a G e r 5 C B N S F v P k d U w 9 y D H m J 9 f Q x O B 9 g d m A q A S g E C D A B 1 W D m g D W V u Z H N 0 c m V h b Q 1 l b m R v Y m o N O T E g M C B v Y m o N P D w v U G F n Z X M g O D k g M C B S L 1 R 5 c G U v Q 2 F 0 Y W x v Z z 4 + D W V u Z G 9 i a g 0 5 M i A w I G 9 i a g 0 8 P C 9 D b 250 Z W 50 c 1 s 5 N C A w I F I g O T U g M C B S I D k 2 I D A g U i A 5 N y A w I F I g O T g g M C B S I D k 5 I D A g U i A x M D A g M C B S I D E w M i A w I F J d L 0 N y b 3 B C b 3 h b M C A w I D Y x M i A 3 O T J d L 0 1 l Z G l h Q m 94 W z A g M C A 2 M T I g N z k y X S 9 Q Y X J l b n Q g O D k g M C B S L 1 J l c 291 c m N l c y A x M D k g M C B S L 1 J v d G F 0 Z S A w L 1 R 5 c G U v U G F n Z T 4 + D W V u Z G 9 i a g 0 5 M y A w I G 9 i a g 0 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v R m l y c 3 Q g N j U v T G V u Z 3 R o I D c 0 N S 9 O I D g v V H l w Z S 9 P Y m p T d G 0 + P n N 0 c m V h b Q 0 K a N 68 V W 1 r 2 z A Q / i v 6 X o L e L L 9 A C S T u Q g P t V h q z F U I + u I 5 I P e w 42 O 7 o / v 3 u J L 8 W L 2 R l W 8 R F y t 3 p 0 S l 6 H o m z g D D C O Z g S 0 H P C P T A u i A y w l 8 R 3 X O g d w p m L D g U J E j 1 g g V L k + p q G R V a U m 1 O c a P x R c Q P H y O N 8 T l f F s Q Z n F F l M c M J Y G D w 7 l g b J J j + U R b L R 9 Z Y + 3 K x o p N 9 q u s 7 j g 17 a L r T d e k e f v j x / 1 w n i r n P A Z d x g r X P A Z Z 7 F m s + 3 d B 2 G y 7 j S e / A q 9 O 5 g w q J K 9 L E m A V N 0 8 e P w L d 3 X L 8 T x A h r G p 1 u d H l 5 q 4 n G X 3 m i b N h N c 0 F U W H y o i h d n L c l m 8 b W e u 8 M l M e i 4 R j D E s g O 9 M d J V m G o s w G z K e z 3 G u 6 Q I / y 6 t F m c b Z b F l k + / u I r u s 4 S 5 P F 8 Z B p w u i d j v f p 8 U C k p P f x m y 0 L s e m m 1 v l X S I h + n r Q B x N L K 9 F Q X J X 1 q K l Y 8 m M 9 h b 7 h Z T J l c 79 M x K X A J w E 8 e i z w + d o 5 V W l Z 1 + B K X 7 R 77 J Q w f c C t 3 c Z P C h a C b 1 + c a y 4 n K V 23 q 6 o q j p v J q K z w f t i L h n 8 V j x u Y J P H z 0 o V k f j j C T E a X c i 6 y f y 4 h r S k P c o b m u Z y I e 4 O J v i 28 i 4 P V h v q 0E89 q c b o 6 J B I 7 T x O 0 K f c M K 0 D f s s S I c o / V 7 w Z H v B 13 E I k n w D O f g 2 O v 3 z 9 j O H O M k R R 3 + p x R 1 F V B U q J a i z B 1 T V E 5 Q N L S U + R / s 7 J f 6 K D H l m J i C 8 w u J C Q e h V P O n 24 P m c N O 11 D S H 5 D u k p T D 2 a J d S t M 1 n B g V p A 9 e D s n x C z p 3 h K T D A + B G m Z S r G f 8 d V H C N b W + y W g 4 M S z B a 78 h g b l d m N c X 0 w j G O P a 0 8 p z 8 T b e c y q y m A 2 J q V D 2 u + / 2 a R i 5 F + 15 t h H y v M U 65 W n g q H y X F c M l A d 5E8 o T o K 2 Z A y 8E91 B 5 w h N j 5 T k T y r u 5 i t J c V z M j g H f q 6 y T H P c G N 5 G 6 B p Y 32 O B N n 1 e c o Z 0 J 94 + U + q k D 17 m n g / i U K V O c P w 8 a H t D p n 49 Z f 7 W x w e b e P h n k A / K B / Q B q p X U q T 9752 / T 5 m r / B f A g w A y E x N 0 g 1 l b m R z d H J l Y W 0 N Z W 5 k b 2 J q D T k 0 I D A g b 2 J q D T w 8 L 0 Z p b H R l c i 9 G b G F 0 Z U R l Y 29 k Z S 9 M Z W 5 n d G g g O D I w P j 5 z d H J l Y W 0 N C k i J r F V N b 9 N A E L 37 V 4 w 4 O Q e m + / 3 B D d p K I F W o B U s c K I c o J C K o S d o k R e q / Z 3 a T 3 d p e t 2 k J i R R P 7 J n 33 r z d H d / B F d y B E q i c k g 6 U F y i d s a C F R 825 B Y F W w 3 o K 32 A J J 6 c b D p M N M D T x Y 4 e i a j N 5 C d 6 s S y y 0 Q + e V 7 i Z W r y G G N v H T e D t i r U A p D 5 o 74 A P 9 e a a d E y p E M n x i p I 0 z w g U a r V A 4 L n T A Q M k U 9 c c t W u 4 I T S F T w t s O l R T 8 a C r C Q K m 9 O k D F P T u a i j C Q B c 8 O U N F K h o s Z Y F J U b v R g 1 G G y G r 0 h A i 1 p G R l B D T M Z H i 9 D P b 2 U y X D 0 t C s O M Y W 1 P J J J W X T W + U N M U h 7 N J C U 62 h O H m L g / m o l 7 t F 4 e I m L 6 a C K m w 4 B 4 n s d F 54 T 8 d x o n U W v X d k 4 I 5 J 4 r / k j E m Q 1 M n A L 3 q g k Y m K g Y t T L + k Y m h p H k k u a B n B k P 0 S K V I n q W p F S h p s f p k 8 R u m m 9 H o w g i g X N T e 2 g j F J V H S Q T V d + c p Z s E q C U V A g 8 v g l x N A l G i 6 d i B z 5 D x X T 3 K a p R Q h o m R P V Z A E f G m q C M c a h o Q Z 3 B f G 3 W c B J 0 w T I Z g Z 1 c 3 H 5 D k 4 v z t 9 / G U H z G 84 b k t O Z 9 T J M n W C E 1 C j p o P A c 5 H l / O V 1 P p r f b + / E N r O d U G x O o 8 c C W 4 o h n a B d E P O Y 9 k M a T T w s O Z y u 4 q p K v k r 3 Y 1 g B E A 9 I d s l X q I 12 V B M + Y + S + u 0 h 4 O I 9 + B L 96 W q c G n 9 Q Q 5 N i K g s c J C S 4 + o n t X z e b W d z + a T 8 X a + W n Y V a Z q g 4 Y 3 P T L a o G p B E 72 d F + 8 H H O / m P t i i E J X e 18 b Q E N F B 2 k l p C q p 0 Q s R P y n a w Z w V u G H O p f M b B Q z 2 M g o N 7 A C G K w j n c k 1 N O U c 7 s L q n q V 7 u S c 7 b 4 o F Z d w t 0 X N a l T t 7 v z J 2 T 9 T U u b M d x L O m 3 A 1 U I / T g z 1 D 1 e J M O a l m t r + W u g u 9 y 9 T j 0 z W L F G Q J 2 z 5 K L l q m H n P u T c o p j L k v m P K j V V K 1 m f b a 7 n D 1 K R 5 G N I 1 Q Q Y 295 W m i r P b 6 T / s + n y W Q / v K 3 e t k L r b I B 2 Z p p I a q / Q 7 L s W e d B V X 8 s T C x R c 4 f j g q e 1 Y a q Y 8 j X g t o s n p d F 54 Z L K h y T z u k 49 Z k O y w I R 8 P e p v p y x i V f i 7 S b q W R U 7 f o q E j A 90 j U w 0 c m V R e e k P 74 Q f A X w E G A I y P o / Y N Z W 5 k c 3 R y Z W F t D W V u Z G 9 i a g 0 5 N S A w I G 9 i a g 0 8 P C 9 G a W x 0 Z X I v R m x h d G V E Z W N v Z G U v T G V u Z 3 R o I D c 0 M z 4 + c 3 R y Z W F t D Q p I i a R W Q W / T U A y + + 1 f 4 m E o s a 9 K k S b j B m I Q Q B x i R d k A c 2 F s 7 p i 5 t W R o Q / 540 j Z 3 O X 5 J u o E r t 67 O f 32 f 7 s / 3 y D 3 y Z 8 + f 685 P j h O N 4 z v E 0 4 W B K j w u + 5 j W f X 5 Q B u 5 K n z a d 0 t V 7 q p 1 G U R l m z o 3 / i x A / D Z B 7 V N l J / H k Y p u 4 L f 5 h w 0 a s 0 35 Q W f 53 l Y / 8 u X / J W 93 x M + m / o h e 9 + b R c L e Y 7 O Y H S 1 U t J b F b s L 1 I f L u 5 f R C J C U 3 I v Y 2 s r N s N 0 S A 1 v 7 w h B r R S u 2 p 7 F Y W c l x R 6 Z V 3 s m g t U 6 e j p 9 H w n T U 8 g g t P L 62 X e m U B U Y N g b e A m w e B Q t L P w 7 i d k w C w G g / U D V G z 4 q M c 532 Q s b w R B n z l R e X c w Q t 57 s f Z l L 5 l 1 G o p t A 0 a U M + t O h 556 L x o L i A / a V R d L 9 X E 0 x z b 0 m s H C x G
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "report-file" ,
"timestamp" : "1701849458" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "fc29a335-d2a8-402e-8a39-77e9c1995024" ,
"value" : "MAR-10478915.r1.v1.CLEAR_.pdf"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "case-number" ,
"timestamp" : "1701849458" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9670f0e7-37af-4838-be8b-5f0eb23511ce" ,
"value" : "AR23-325A"
}
]
}
2023-12-14 13:47:04 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-12-14 13:47:04 +00:00
}
