2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2019-01-11" ,
"extends_uuid" : "" ,
"info" : "OSINT - Threat Actor \u00e2\u20ac\u0153Cold River\u00e2\u20ac\u009d: Network Traffic Analysis and a Deep Dive on Agent Drable" ,
"publish_timestamp" : "1547722857" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1547722837" ,
"uuid" : "5c3f3eca-3ce8-4bb0-8f24-43c0950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:threat-actor=\"Cold River\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547715563" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c3f45a3-939c-4161-aced-4586950d210f" ,
"value" : "https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547715562" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c3f4698-757c-4466-b3be-4457950d210f" ,
"value" : "While reviewing some network anomalies, we recently uncovered Cold River, a sophisticated threat actor making malicious use of DNS tunneling for command and control activities. We have been able to decode the raw traffic in command and control, find sophisticated lure documents used in the campaign, connect other previously unknown samples, and associate a number of legitimate organizations whose infrastructure is referenced and used in the campaign.\r\n\r\nThe campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries are also targeted. There are new TTPs used in this attack \u00e2\u20ac\u201c for example Agent_Drable is leveraging the Django python framework for command and control infrastructure, the technical details of which are outlined later in the blog." ,
"Tag" : [
{
"colour" : "#00223b" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "callback domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547652316" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5c3f4cdc-9928-4d32-9ed1-82e5950d210f" ,
"value" : "0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Hardcoded HTTP CnC, not used at the time of the analysis." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712740" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c4035b9-a0e0-4a00-96c7-4f77950d210f" ,
"value" : "185.161.211.72"
} ,
{
"category" : "Network activity" ,
"comment" : "DNS queries from different victims" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712231" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c4036e7-cde0-4795-b1e7-462c950d210f" ,
"value" : "crzugfdhsmrqgq4hy000.0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "DNS queries from different victims" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712237" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c4036ed-7310-48ea-9f64-47e2950d210f" ,
"value" : "gyc3gfmhomrqgq4hy.0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "DNS queries from different victims" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712238" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c4036ee-e8b0-470e-81f0-489a950d210f" ,
"value" : "svg4gf2ugmrqgq4hy.0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "DNS queries from different victims" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712238" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c4036ee-b920-40ce-9802-4854950d210f" ,
"value" : "hnahgfmg4mrqgq4hy.0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "DNS queries from different victims" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547712239" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c4036ef-3818-4a57-bd3b-4d04950d210f" ,
"value" : "6ghzgf2ugmd4ji2vor2tgvkeutkf.0ffice36o.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Mostly used to generate Let\u00e2\u20ac\u2122s Encrypt certificates. Port 443 still answers with memail.mea.com[.]lb. Port 444 has a \u00e2\u20ac\u0153GlobalSign\u00e2\u20ac\u009d certificate of memail.mea.com[.]lb." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713468" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c403bbc-4d24-46a6-83eb-4eea950d210f" ,
"value" : "185.20.187.8"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713469" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c403bbd-4f68-4256-bfa6-46e9950d210f" ,
"value" : "memail.mea.com.lb"
} ,
{
"category" : "Network activity" ,
"comment" : "Live HTTP CnC. Ports 80 and 443 return interesting Django debug info." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713469" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c403bbd-e298-4419-a1cd-4c2b950d210f" ,
"value" : "185.20.184.138"
} ,
{
"category" : "Network activity" ,
"comment" : "Unknown usage. Basic authentication protected page on port 7070 with https, cert CN is \u00e2\u20ac\u009d kerteros \u00e2\u20ac\u0153. Port 8083 hosts a webserver , but only returns a blank page." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713470" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c403bbe-3ff8-4da5-b8a2-4604950d210f" ,
"value" : "185.20.184.157"
} ,
{
"category" : "Network activity" ,
"comment" : "Hosted the HR phishing domains hr-suncor[.]com and hr-wipro[.]com, now redirect to the legitimate website." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713470" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c403bbe-99d4-47e6-8cb0-4e86950d210f" ,
"value" : "185.161.211.79"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713471" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5c403bbf-f648-4156-85e6-42ce950d210f" ,
"value" : "hr-suncor.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713471" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5c403bbf-b8b0-4e0c-92f0-4757950d210f" ,
"value" : "hr-wipro.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Openconnect VPN used to reach the HTTP CnC." ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547713471" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c403bc0-dfcc-49a1-850c-48b7950d210f" ,
"value" : "194.9.177.22"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714089" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5c403e29-35cc-497d-8e69-4aa7950d210f" ,
"value" : "files-sender.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714265" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c403ed9-c76c-4390-8782-4dc3950d210f" ,
"value" : "https://crt.sh/?id=923463758"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714265" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c403ed9-aa4c-4740-b455-464f950d210f" ,
"value" : "webmail.finance.gov.lb"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714266" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c403eda-9444-4932-a982-43d7950d210f" ,
"value" : "https://crt.sh/?id=922787406"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714266" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c403eda-c210-49b8-8d66-4ede950d210f" ,
"value" : "mail.apc.gov.ae"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714267" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c403edb-bb74-4ec9-82d6-4f31950d210f" ,
"value" : "https://crt.sh/?id=782678542"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714267" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c403edb-feb8-401a-93fd-4dbd950d210f" ,
"value" : "mail.mgov.ae"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714268" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c403edc-6934-4289-a417-4377950d210f" ,
"value" : "https://crt.sh/?id=750443611"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714269" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "5c403edd-93ac-4c08-9d81-4c37950d210f" ,
"value" : "adpvpn.adpolice.gov.ae"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714269" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c403edd-7dac-49a4-81a4-44e0950d210f" ,
"value" : "https://crt.sh/?id=741047630"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714709" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c404095-60e0-405d-88e5-4073950d210f" ,
"value" : "185.20.184.15"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714710" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c404096-b05c-4197-8887-4a82950d210f" ,
"value" : "104.148.109.193"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714710" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5c404096-1914-44d6-a9fb-4415950d210f" ,
"value" : "microsoftonedrive.org"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714952" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5c404188-ffa8-4fe9-a371-4b3c950d210f" ,
"value" : "%userprofile%\\.oracleServices\\Apps\\"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714953" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5c404189-6988-4169-9f92-466a950d210f" ,
"value" : "%userprofile%\\.oracleServices\\Configure.txt"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714953" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5c404189-0f60-45c0-876e-41e6950d210f" ,
"value" : "%userprofile%\\.oracleServices\\Downloads\\"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714954" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5c40418a-91d4-48fb-a083-4180950d210f" ,
"value" : "%userprofile%\\.oracleServices\\log.txt"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714954" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5c40418a-8778-48f9-a9dd-468e950d210f" ,
"value" : "%userprofile%\\.oracleServices\\svshost_serv.doc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714955" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5c40418b-6908-412b-bb68-4620950d210f" ,
"value" : "%userprofile%\\.oracleServices\\svshost_serv.exe"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "Filesystem artifacts" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547714955" ,
"to_ids" : false ,
"type" : "regkey" ,
"uuid" : "5c40418b-17e8-4969-910d-41a5950d210f" ,
"value" : "%userprofile%\\.oracleServices\\Uploads\\"
}
] ,
"Object" : [
{
"comment" : "weaponized empty document" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547650809" ,
"uuid" : "5c3f46f9-f208-4ad9-9ce1-4c08950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547650809" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c3f46f9-7db8-4cfd-a58c-4d37950d210f" ,
"value" : "1f007ab17b62cca88a5681f02089ab33adc10eec"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547650810" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c3f46fa-d65c-4bff-8c6e-4f8b950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "HR document from Suncor" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547651456" ,
"uuid" : "5c3f4980-f148-4b82-bbb4-4fc6950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547651456" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c3f4980-8394-4783-93b3-4167950d210f" ,
"value" : "9ea865e000e3e15cec15efc466801bb181ba40a1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547651457" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c3f4981-8aec-4319-9169-46d9950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Microblog post like a Twitter tweet or a post on a Facebook wall." ,
"meta-category" : "misc" ,
"name" : "microblog" ,
"template_uuid" : "8ec8c911-ddbe-4f5b-895b-fbff70c42a60" ,
"template_version" : "5" ,
"timestamp" : "1547709921" ,
"uuid" : "5c402de1-c87c-479a-9aad-45dd950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "post" ,
"timestamp" : "1547709921" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de1-116c-4d24-ae84-46d2950d210f" ,
"value" : "@securitydoggo @James_inthe_box @malwrhunterteam @Malwageddon Possible DNS tunneler/stager with 0ffice36o[.]com C2. Anyone speak Russian? https://www.sendspace.com/file/69a6bc"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1547709921" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de1-8bf8-4b46-8284-4149950d210f" ,
"value" : "Twitter"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1547709921" ,
"to_ids" : true ,
2023-04-21 13:25:09 +00:00
"type" : "url" ,
2023-12-14 14:30:15 +00:00
"uuid" : "5c402de1-8c20-4156-a2ca-441c950d210f" ,
"value" : "https://twitter.com/KorbenD_Intel/status/1053037793012781061"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username-quoted" ,
"timestamp" : "1547709922" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de2-b470-4625-899a-42d8950d210f" ,
"value" : "@securitydoggo"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username-quoted" ,
"timestamp" : "1547709922" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de2-6b7c-4f2b-9ab6-438e950d210f" ,
"value" : "@James_inthe_box"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username-quoted" ,
"timestamp" : "1547709923" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de3-a27c-4dc8-9dd9-42e3950d210f" ,
"value" : "@Malwageddon"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username-quoted" ,
"timestamp" : "1547709923" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de3-aad8-4803-bf02-415a950d210f" ,
"value" : "@malwrhunterteam"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1547709924" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c402de4-8fc0-4cc4-a3f9-496d950d210f" ,
"value" : "https://www.sendspace.com/file/69a6bc"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "creation-date" ,
"timestamp" : "1547709924" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "5c402de4-3e70-478a-b932-442e950d210f" ,
"value" : "2018-10-18T14:39:00"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username" ,
"timestamp" : "1547709925" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402de5-0364-4a8d-a8e7-45ff950d210f" ,
"value" : "@KorbenD_Intel"
}
]
} ,
{
"comment" : "Empty doc" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547710092" ,
"uuid" : "5c402e8c-09f8-42f0-b7a0-4d0c950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547710092" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c402e8c-f2c4-4a62-a61f-4390950d210f" ,
"value" : "1f007ab17b62cca88a5681f02089ab33adc10eec"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547710093" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c402e8d-fb64-4900-bcb2-41a3950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Suncor decoy" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547710720" ,
"uuid" : "5c403100-1104-4b24-9e5a-441f950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547710720" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c403100-dc0c-448c-8086-4412950d210f" ,
"value" : "9ea865e000e3e15cec15efc466801bb181ba40a1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547710721" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c403101-e2d0-4700-935e-4568950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Payload with logs information" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547711258" ,
"uuid" : "5c40331a-a4c4-44ed-9774-4a0a950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547711258" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c40331a-16bc-494d-a0fe-4acc950d210f" ,
"value" : "1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547711259" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c40331b-a7a8-4b52-be47-4308950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Payload without logs information" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547711877" ,
"uuid" : "5c403585-b7e8-47f2-ad7d-44ee950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547711877" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c403585-1918-4274-bd89-42d8950d210f" ,
"value" : "1022620da25db2497dc237adedb53755e6b859e3"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547711877" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c403585-fd88-4e3a-8856-4728950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Dropper (maldoc)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1547714458" ,
"uuid" : "5c403f9a-39c8-4cad-bac3-452a950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547714459" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c403f9b-63fc-45f7-850e-4728950d210f" ,
"value" : "678ea06ebf058f33fffa1237d40b89b47f0e45e1"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1547714459" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c403f9b-09b0-46c4-b4f4-43e8950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547722809" ,
"uuid" : "3865d658-4ec2-4ccf-8437-2cf9ecdd8dac" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "3865d658-4ec2-4ccf-8437-2cf9ecdd8dac" ,
"referenced_uuid" : "3c8bf6c1-e76a-4d68-95ec-8f98f353c35f" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1547722822" ,
"uuid" : "5c406046-bd7c-4e17-8078-9bf102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547722809" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "000fd719-feca-4364-b1bc-285ef29abc50" ,
"value" : "48320f502811645fa1f2f614bd8a385a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547722810" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "998053f4-5e4b-4008-a3b2-81ab4379e64e" ,
"value" : "1f007ab17b62cca88a5681f02089ab33adc10eec"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547722810" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b99f01dc-0812-4be6-a5d9-673f2a8eeab9" ,
"value" : "15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547722811" ,
"uuid" : "3c8bf6c1-e76a-4d68-95ec-8f98f353c35f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547722811" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "98d5929e-dcfd-441b-bfda-7b38ea435eec" ,
"value" : "2019-01-15T07:47:18"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547722812" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "4fc92056-064b-472c-b77b-3f30cf915fca" ,
"value" : "https://www.virustotal.com/file/15fe5dbcd31be15f98aa9ba18755ee6264a26f5ea0877730b00ca0646d0f25fa/analysis/1547538438/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547722812" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a49850e2-6174-403b-8eac-8cad60a6e895" ,
"value" : "37/58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547722812" ,
"uuid" : "d866b492-3e79-4f62-ae4b-8fcfe1ec0a05" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "d866b492-3e79-4f62-ae4b-8fcfe1ec0a05" ,
"referenced_uuid" : "28884802-adc0-41dd-85c5-f37b24623600" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1547722823" ,
"uuid" : "5c406047-9e00-4b7e-8180-9bf102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547722812" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8ea1983d-5c84-40c6-ae20-1837edc9408a" ,
"value" : "c00c9f6ebf2979292d524acff19dd306"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547722813" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "e9f324df-8f59-4a66-8e01-53ba87c05c69" ,
"value" : "1022620da25db2497dc237adedb53755e6b859e3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547722813" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "84d91894-f618-47e4-bd4c-cb1452aff53d" ,
"value" : "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547722814" ,
"uuid" : "28884802-adc0-41dd-85c5-f37b24623600" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547722814" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d2f9d666-d4b2-4ed5-b123-0ca8a51144cc" ,
"value" : "2018-12-21T08:26:31"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547722814" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "0180ce7c-4d8f-4dc2-a1c1-d69f89da88bb" ,
"value" : "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1545380791/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547722815" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "be1bde68-c09d-49b2-bc65-75b1771d2b48" ,
"value" : "45/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547722815" ,
"uuid" : "b8c3e2c4-dd23-4d42-8f1e-83832c52602b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b8c3e2c4-dd23-4d42-8f1e-83832c52602b" ,
"referenced_uuid" : "fa573724-154a-4d4e-84a1-f36c91f5422e" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1547722823" ,
"uuid" : "5c406047-d5a4-41e4-9dad-9bf102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547722815" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c1bd72d2-5b31-4e61-9f7c-3ef18f42f53b" ,
"value" : "807482efce3397ece64a1ded3d436139"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547722816" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5889b9ef-10df-460b-8bb1-e6323aa6c826" ,
"value" : "9ea865e000e3e15cec15efc466801bb181ba40a1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547722816" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "9c268a86-b6e7-4a93-ba9d-c75707f2ce05" ,
"value" : "9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547722817" ,
"uuid" : "fa573724-154a-4d4e-84a1-f36c91f5422e" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547722817" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "b4ba042e-d5d3-47db-8839-1b8701adc6a0" ,
"value" : "2018-12-22T03:41:06"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547722818" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "0d61fdfd-883b-46d6-ad89-d1efb20fb53d" ,
"value" : "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1545450066/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547722818" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "97e10fc5-576b-4edc-b0f6-0e18effdcf0c" ,
"value" : "36/60"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547722818" ,
"uuid" : "e672e426-1d42-42e0-b1d0-fbc9d846b35c" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "e672e426-1d42-42e0-b1d0-fbc9d846b35c" ,
"referenced_uuid" : "553ba70d-9782-43f5-8355-434287122d90" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1547722823" ,
"uuid" : "5c406047-4bd0-48fc-8872-9bf102de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547722818" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f767b386-5ffd-4405-b117-85c1d14c15f0" ,
"value" : "d2052cb9016dab6592c532d5ea47cb7e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547722819" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "26d8c66e-68c8-4676-924c-7e4b0d88bcc5" ,
"value" : "1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547722819" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "272a5e30-b9b8-44df-b097-56dd1f82eccb" ,
"value" : "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547722821" ,
"uuid" : "553ba70d-9782-43f5-8355-434287122d90" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547722821" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "39d91f37-902a-4939-be62-c55c26d410f1" ,
"value" : "2018-12-21T08:26:28"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547722822" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "bcc36707-9559-4949-8ac7-baa0bb6078b2" ,
"value" : "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1545380788/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547722822" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "88168f7f-ef6b-466d-a831-053c528c2343" ,
"value" : "47/69"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}