2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2019-05-22" ,
"extends_uuid" : "5cb88eb5-ba84-40a8-a31d-01c00a016219" ,
"info" : "OSINT - A journey to Zebrocy land" ,
"publish_timestamp" : "1563528093" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1563528054" ,
"uuid" : "5ce6aa86-9cd8-4302-9dc9-4a59950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1192\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation - T1047\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Component Object Model Hijacking - T1122\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Disabling Security Tools - T1089\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Staged - T1074\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Automated Exfiltration - T1020\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Encrypted - T1022\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Commonly Used Port - T1043\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Custom Cryptographic Protocol - T1024\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Multilayer Encryption - T1079\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Standard Cryptographic Protocol - T1032\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:malpedia=\"Zebrocy\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:malpedia=\"Zebrocy (AutoIT)\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-malware=\"Zebrocy - S0251\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"ZEBROCY\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00b3b3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ecsirt:intrusions=\"backdoor\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#00a9ce" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "veris:action:malware:variety=\"Backdoor\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#2c0037" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ms-caro-malware:malware-type=\"Backdoor\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#001534" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "ms-caro-malware-full:malware-type=\"Backdoor\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#3a001f" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "workflow:todo=\"expansion\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558680572" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5ce793fc-bc54-401b-9e5b-4a08950d210f" ,
"value" : "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558680597" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5ce79415-9bf8-440b-9a53-4159950d210f" ,
"value" : "What happens when a victim is compromised by a backdoor and the operator is controlling it? It\u00e2\u20ac\u2122s a difficult question that is not possible to answer entirely by reverse engineering the code. In this article we will analyze commands sent by the operator to their targets.\r\n\r\nThe Sednit group \u00e2\u20ac\u201c also known as APT28, Fancy Bear, Sofacy or STRONTIUM \u00e2\u20ac\u201c has been operating since at least 2004 and has made headlines frequently in past years.\r\n\r\nRecently, we unveiled the existence of a UEFI rootkit, called LoJax, which we attribute to the Sednit group. This is a first for an APT group, and shows Sednit has access to very sophisticated tools to conduct its espionage operations.\r\n\r\nThree years ago, the Sednit group unleashed new components targeting victims in various countries in the Middle East and Central Asia. Since then, the number and diversity of components has increased drastically. ESET researchers and colleagues from other companies have documented these components; however, in this article we will focus on what\u00e2\u20ac\u2122s beyond the compromise, what the operators do once a victim system is running a Zebrocy Delphi backdoor."
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B Z c A A A K F C A I A A A A / K 0 D V A A A A A X N S R 0 I A r s 4 c 6 Q A A A A R n Q U 1 B A A C x j w v 8 Y Q U A A A A J c E h Z c w A A D s M A A A 7 D A c d v q G Q A A P + l S U R B V H h e 7 N 0 F Y N t G 2 w d w y 2 y H m a l J m k L K z I z r O m Z m 7 K j r 1 v H W j j t m 5 o 6 h w z J z C i m k Y W Y G M 0 r f I 0 t x n c R p s 63 b m u / 9 / z 5 / f a 2 T L J 1 O J 0 3 P 5 X R i O I 6 T A A A A A A A A A A C c 9 q T i / w I A A A A A A A A A n N 7 Q i g E A A A A A A A A A v Q N a M Q A A A A A A A A C g d 0 A r B g A A A A A A A A D 0 D m j F A A A A A A A A A I D e A a 0 Y A A A A A A A A A N A 7 o B U D A A A A A A A A A H o H t G I A A A A A A A A A Q O + A V g w A A A A A A A A A 6 B 3 Q i g E A A A A A A A A A v Q N a M Q A A A A A A A A C g d 0 A r B g A A A A A A A A D 0 D m j F A A A A A A A A A I D e g e E 4 T v w K A A A A A A D w P 4 x t r b d u + s p x b A e r a 5 A w Y i L 8 Z z g J o 1 D K E g c r J 1 + o 6 D d a T I T / e T 1 r x W C d E k Y q Y X A e A w A A A A D A / 0 + c r t n w 0 n W s s U 0 1 b g E T F i + m w n / L Z r Z n b n I U H 9 Z e 9 a R y z H w x 8 V R w F B y 0 7 V / D G Z o p K B a T 4 L / E M b 4 h y l H z 5 C l D x Y T u n a g V g z O 22 Q 9 v c e T v Z 1 s b G L V W F p e m G D 5 L F t V H n H 3 a c j o c 5 b k S m 0 U W k 8 L 4 B o q J A A A A A A A A 3 b O s e s 22 b 43 v f Z 9 J A 0 L F J D g d s K z 5 u x X 2 I 1 v 8 H v y G 8 f E X E / 8e68 Y v z d 89 y x p a J B w r J s F / j p F K f Y M 1 F z + k m n q h m N K N b l s x n J U F p k 8 e d O T v 41 g H I 5 X x i 7 F O a W i c z 5 V P K E b M E R f 6 + 5 w O i V T e o 8 Y v u 0 2 i U I r f u 8e21 J k + e 8 y R u 4 f W L A 2 P 0 1 z 0 o G L Q J H E e A A A A A A B A N / T L z 1 c M m a Z e e J s 4 D a c N t q F C 9 + A c v y d + l U U n i 0 l / A 4 W 6 + m c v 4 f R N E p l c T I L T h M P O B E b 4 L f 3 y x A f a + + i e n K H V 9 N 5 i v i 1 A J m e U G o l c y S h U j E r L N l e Z v 1 v B 6 Z r E 5 f 4 G z m w w r 3 r d 8 N K 1 h l e u t 239 V t J 9 l x C 2 r s z 46 S O 0 p P G t R Y 6 c D D H V K 9 Z p X r n M t v c X z q z n 7 G Z H a Z b p 0 4e5 t k Z x L g A A A A A A Q D c 4 u 0 W i 1 o g T c F p R a T j W e a r 6 T T i K M t m W W j R h n I 7 k C r a 5 y l l 0 W J z s h v d W D O u O H x 3 F m R K l i s 5 l z / Y F R q F 2 V B X Y j 24 X p / 8 q z m Y x f n C / + b v n b I c 32 w 6 s M X 54 n + W 3 d 8 V 5 H b H N N Y b X b 7 W u / d C W t c 268 w f D G z c 7 s n e L 87 p w 1 p T a s 7 Y z K o 1 E K p U w U k a p Z h v K H e X Z 4 m w A A A A A A I D u M M w J / r Y K / 6 V T e 1 z s Z g n n F L / D 6 c b p 5 B x m 8 X s 3 v L V i O J 3 O g v 2 c h J M 4 H Y z K R y J X 8 G 0 Z 7 e j U d u T u F S f + K k f O b v v + P x i l 2 v X R S B i p Z c M n b H 2 F O N u D f d c v z t I j j N r H 1 R n E h 9 M 1 W l a / L 87 r g m 2 p 4 V g H 5 V G c J g z D 6 V v E 7 w A A A A A A A P C / D s N 5 n u Z O c o C 8 t W J I p f L U k Y x c J U 8 d 5 b v 4 U 9 W Y h R K H Q 5 x F G I Z t q h K //1XO6mIJyx5/6YmUkViMbH2ZOOnBUZ4jkcrECSKTO2sKOJtVnOyI4fe2yw6jpxAAAAAAAADA/wveWjEYRjXrKv9nN/re86E8dZgsId2zLwbN5ody/XtkkYmu1ob21bKcRKVhwuLESQ+cwyZ+c6MfdffOV5ncyyyZRyMIAAAAAAAAAPRa3sfFoMhfFpnIaPnX2DAqTeenkJhuftVj8gHjFUNncRaTxGHj7FaOdaqmXiaLSBBne/LSKiFn5N10r5DKujZvMFL0xQAAAAAAAAD4/6AH7RHCGJ8eGJlC/PZXMSqNz40vaC9+WJE+RTVirs8NL2rO6tkLjTiOkStpBeJkJ1JZ1xYWpgfvZwUAAAAAAACA09/JWzG6tAJwp2SkCcY3UL3wVp873/W5/Q3V5PO7X2eXBguFqrsnShgvK2H45QEAAAAAAACg9+tBXwy+70NHp26kCf6tqF3X344fFMPZdVwMhm2t5z+N1WxzDWf1eAuLXBgXo+MDMAq1+AUAAAAAAAAAerMetGJ0HVeCEVsxOLvVUXDQsvZj8zfPmT5+yLzySev6T+1Ht0scdmGBE2Pry227frbtX8cZ28QkD46CA8ZXb+bf6urZw0Imd1bltC2Z2rZkStvS6W33zzCsuMpZWSDO5Z8o6dhNg5Ew6IsBAAAAAAAA8P9CD54o8XzRqUChlNgstp0/65+60PDClabPHjH/8ppl42fmP94xfvyg4ZXr9Suush/ZKi7cDfuRbfpnLjW+fafx9ZsNL9/ANtWIM1w4Y6tp5XL7gdWc1di5YYLj+A4aTruEddIXe/Z2y+r3+UQxq50eNmH43HaP07dyNos4cTKcSc+ZjeIEAAAAAAAAAPy7etAXo9PzI4yMa6o2vHG78b27nCWHOZuZUWkYlZZRqvkvaq2EdTpydhpeucHyy9viT7rgTAbLz685G0olCrlEKrXn7LSs+1icJ7Db+A4aXftWiChRSGckjJSzGIVWDNfyrmQBJcoU3gbL4LHNtcb3l+ifu9Tw3OW2XT+Lqd3gLCbz9y8anqWFLzP//IbE4RBnAAAAAAAAAMC/pQetGB0aBugXUmd1vv3QBr51Q6bo+k4Qvt1BrpSwTvOPL5h/9d6QwbU1OmuKGbnK1QzBMHIl/+SIByYwXDXnWmlofOetE74vhl382G3S4GjVlAspV/ws/t8Oy/MvNPH6XliHzfTpI9bNK53lxxz5e02fPmTP2SPO6orjLD+9bF71iqP0iKM40/Ldc5Y1H4qzAAAAAAAAAODf0oNWDGmXdgS+nULRsb2Ac3088A0KnOXXNxwFB8QUD5zDytlMHfpZ2DwG6XRRz7zC77GfVDOulDg9Oj44nbLEwX5LvuA/937u9+A3/o+tUgyeIs6ljXbILMfns+sTMRKJoyTLkbNLHFtUoWYNLfa9v4nzumCbamz71zAyGb8wfaQy2+6fOJNenA0AAAAAAAAA/4oetGJ07Q3hyWF3jeVJy0j5L54tDlKZxGww//QqZzWJKW4cy49q4blib28SkQZFSAPDxadFBBwrCwiXp0/kP4MmyfuPlYbGiLNIp3ExOI6RKcRuGh2xDVUcn9X2hRkpq2/qsCEPnK5RfLxFIJVyJgOraxYnAQAAAAAAAOBf0YNWjO4aMfgnOxyy+AGaMxf5XLvC58aX1AtulYbG8c0TbgqlI3unszBTnGzH6ZslDluHVXf3PlSWFb+4dTPOBa/rwyP8u1e97SPXZbWUGe9jcJAurRu0YHfL9lIOG9dSx7XUe3zq2LZGvvxZJ9dazx+yjjh9C6VTSXJmQ5ff8j/nDK38Ysa2rmvmhzKhWWa9x6w6Wo9rxSJahmvuZi5lqa2h/bd1HOXTswWKZVma27GZiSad5blsfbnnC3Q4o84jA+0bMunE2f8cp4PPYTf552zmjllyLUO7416GdbJ15c7yPDoEYkontEB9hbOyoFOREv5gNddydqs4LbBb+UShexFfeo3H89ZKdcDjjPZAq6JNOKuKPMfH5ezdVyRxCY7PW3ku19YkpvyLxN038jXzOI6jQ+CRbaq6Xt6aJGCbapwVeULd9sRZzfyaOxW408Gv0LUwf750LhnXtixdGnkBAAAA4P8xuqunG2y6PfYMYQiFqJ1SiLiw09vCXUJaWsZLnNue7mXlHoniMu2friHw6YShG3jxazccBQd0y87p/L5S+hXDqOdcp55/E+MXJCbSTXtlvuGVG9iGiuNjgjrsqjnXay97WJx0sW752vTRUtdjKS5Ou2LAJN/7PxcnPVh+fcf83bPHl3TYlGPP8bn1FXGyI7alVvfIGXyIIrRcsA5ZWJLfI98x/iGu+cfZdv5s/Og+vja4Wi4oblSNp9W+LsztxFl8VP/85ZzV4F6tNCTOb+mX0rBY1/z/D5yFmYZ37uIrq7t1iXUywVF+iz+hwjG8cLVEKvO59jlZ8mDX4vxc49t3OqoK/B/+zrrpK+ua98WHd+hfp4P/OOzy9Ck+N79o/uxx26EN4lnhQkGv5szbVPOut/zylnXrV3y6EOIqNfL4AeqFt8ni+9OUddNKyy9v8Ovko2hOolDLY9PUCx
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558688219" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5ce7b1db-b884-4b38-a71e-43b4950d210f" ,
"value" : "Figure-1-WM.png"
} ,
{
"category" : "Network activity" ,
"comment" : "Distribution URL" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558691566" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5ce7b861-bc80-4e19-9006-4056950d210f" ,
"value" : "http://45.124.132.127/DOVIDNIL - (2018).zip"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558689889" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5ce7b861-0228-4ce2-b25a-4385950d210f" ,
"value" : "bitly.com/2vZyzgL"
} ,
{
"category" : "Network activity" ,
"comment" : "C&C server" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1558691583" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5ce7beff-ef98-4836-9ab1-44c3950d210f" ,
"value" : "http://45.124.132.127/action-center/centerforserviceandaction/service-and-action.php"
}
] ,
"Object" : [
{
"comment" : ".exe, displays .doc icon" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1558681272" ,
"uuid" : "5ce6ac5b-6d34-455b-b17d-765d950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1558681272" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ce6ac5b-9b68-4966-bdb5-765d950d210f" ,
"value" : "\u00d0\u201d\u00d0\u017e\u00d0\u2019I\u00d0\u201d\u00d0\u009dI\u00d0\u0161 - (2018).exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1558681229" ,
"uuid" : "5ce7968d-a158-4d3a-aa56-4b70950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1558681229" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5ce7968d-bcec-4be1-a989-4812950d210f" ,
"value" : "\u00d0\u201d\u00d0\u00be\u00d1\u20ac\u00d1\u0192\u00d1\u2021\u00d0\u00b5\u00d0\u00bd\u00d0\u00bd\u00d1\u008f 97.pdf"
}
]
} ,
{
"comment" : "Win32/TrojanDownloader.Sednit.CMT" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1558692091" ,
"uuid" : "5ce7c0fb-4f58-487e-b5d6-4593950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1558692092" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5ce7c0fc-21e4-44d8-9f48-49a3950d210f" ,
"value" : "48f8b152b86bed027b9152725505fbf4a24a39fd"
}
]
} ,
{
"comment" : "Win32/HackTool.PSWDump.D" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1558692124" ,
"uuid" : "5ce7c11c-1cec-4498-b21f-4ae8950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1558692124" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5ce7c11c-7180-4086-b844-4763950d210f" ,
"value" : "1e9f40ef81176190e1ed9a0659473b2226c53f57"
}
]
} ,
{
"comment" : "Win32/PSW.Agent.OGE" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1558692165" ,
"uuid" : "5ce7c145-8fe8-4bc0-b828-463e950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1558692165" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5ce7c145-c604-4976-b50a-4416950d210f" ,
"value" : "bfa26857575c49abb129aac87207f03f2b062e07"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "17" ,
"timestamp" : "1563528053" ,
"uuid" : "77e080d7-7231-44bb-a661-34fb1e1e2070" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "77e080d7-7231-44bb-a661-34fb1e1e2070" ,
"referenced_uuid" : "f315bc29-020c-41cd-8585-cf94f546aa63" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1563528054" ,
"uuid" : "5d318b76-86d8-45ab-82fa-4cde02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1558692092" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "2d508d34-557f-4c19-aa4f-19b033fcf7f3" ,
"value" : "5e4e8cab7fcb43ed39b2feac92ddc2e7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1558692092" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "b57de05c-35bc-4ad9-ac1b-974b6be67c7e" ,
"value" : "48f8b152b86bed027b9152725505fbf4a24a39fd"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1558692092" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2d0064c9-9924-4624-a2c0-2ac357f46c13" ,
"value" : "b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1563528054" ,
"uuid" : "f315bc29-020c-41cd-8585-cf94f546aa63" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1558692092" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c8f06757-89ce-4b93-8508-e5441a5ea6ae" ,
"value" : "2019-06-14T09:31:17"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1558692092" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "9cb47e12-6ce5-4243-ba79-952caa74b562" ,
"value" : "https://www.virustotal.com/file/b677cce4a844495a20eed2486ef71f4782c06630df34a6ce085880a045a07902/analysis/1560504677/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1558692092" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0fb9588d-b59b-4604-b9a2-4c488151806a" ,
"value" : "44/62"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}