959 lines
33 KiB
JSON
959 lines
33 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2020-01-23",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Iranian PupyRAT Bites Middle Eastern Organizations",
|
||
|
"publish_timestamp": "1582700269",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1582700226",
|
||
|
"uuid": "5e2a97e7-4bd4-41c4-8aaf-4262950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-tool=\"Pupy - S0192\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-tool=\"Pupy - S0192\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"PupyRAT\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Magic Hound - G0059\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-intrusion-set=\"Magic Hound - G0059\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#12dc00",
|
||
|
"name": "misp-galaxy:threat-actor=\"Cleaver\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:threat-actor=\"OilRig\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:threat-actor=\"APT35\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#440055",
|
||
|
"name": "ms-caro-malware:malware-type=\"RemoteAccess\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#4bec00",
|
||
|
"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#008ba9",
|
||
|
"name": "veris:asset:variety=\"S - Remote access\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00bde6",
|
||
|
"name": "veris:action:misuse:vector=\"Remote access\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#001739",
|
||
|
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#5f0044",
|
||
|
"name": "CERT-XLM:malicious-code=\"spyware-rat\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Hosting PowerShell stages of PupyRAT download",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580307698",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e3194f2-e0f0-432a-bc5d-aea2950d210f",
|
||
|
"value": "139.59.46.154"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "PupyRAT command and control server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580307700",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e3194f4-98d0-4693-9695-aea2950d210f",
|
||
|
"value": "89.107.62.39"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "10",
|
||
|
"timestamp": "1579852427",
|
||
|
"uuid": "5e2a9a69-4f24-4f73-983b-478b950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1579851871",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2a9a69-57e8-40b5-a0bb-4768950d210f",
|
||
|
"value": "Thanks for reaching out @QW5kcmV3\r\n! Here is the report that mentions COBALT GYPSY use of the OST PupyRAT (https://secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations). Iran-nexus group overlaps are a fun challenge to deconstruct\u00e2\u20ac\u00a6Always appreciate the constructive feedback!\u00e2\u20ac\u00a6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1579851871",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2aa05f-4cd0-4f9b-9d01-49de950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5e2aa060-7c98-4c40-9641-4b5f950d210f",
|
||
|
"value": "https://mobile.twitter.com/maggintel/status/1220440024631644160"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "embedded-safe-link",
|
||
|
"timestamp": "1579852427",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5e2aa060-5a2c-4588-ba48-4f90950d210f",
|
||
|
"value": "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#002b4a",
|
||
|
"name": "osint:source-type=\"technical-report\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "embedded-safe-link",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5e2aa060-8c70-4462-8ead-45bf950d210f",
|
||
|
"value": "https://t.co/NP4e8FXfKI?amp=1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "username-quoted",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2aa060-9c48-4326-96bd-4301950d210f",
|
||
|
"value": "@QW5kcmV3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "verified-username",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2aa060-1864-4154-9d99-43e1950d210f",
|
||
|
"value": "Unverified"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2aa060-e708-4e1f-8e34-4e22950d210f",
|
||
|
"value": "Informative"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"first_seen": "2026-05-13T21:15:00+00:00",
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1579851872",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2aa060-e184-4c09-afb0-4b1d950d210f",
|
||
|
"value": "maggintel"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Associated organization : National Technology Group, a Saudi Arabian telecommunications company",
|
||
|
"deleted": false,
|
||
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1582700226",
|
||
|
"uuid": "5e3187c7-9b64-4c78-b33f-1c2f950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1580304327",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e3187c7-da78-4519-9745-1c2f950d210f",
|
||
|
"value": "45.32.186.33"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Spoofed domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1580304327",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e3187c7-3ca8-4aaf-94b0-1c2f950d210f",
|
||
|
"value": "ntg-sa.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Legitimate domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1582700226",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e3187c7-8cf0-4571-b695-1c2f950d210f",
|
||
|
"value": "ntg.com.sa"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Associated organization : ITWorx, an Egyptian information technology services firm",
|
||
|
"deleted": false,
|
||
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1582700218",
|
||
|
"uuid": "5e318cb9-f1ac-4eac-a1b6-aea2950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1580305594",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e318cba-d264-40c8-abf6-aea2950d210f",
|
||
|
"value": "45.32.186.33"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Spoofed domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1580305599",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318cbf-203c-4241-b4fa-aea2950d210f",
|
||
|
"value": "itworx.com-ho.me"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Legitimate domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1582700218",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318cc6-25a8-49a8-a30c-aea2950d210f",
|
||
|
"value": "itworx.com"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Associated organization : Saudi Ministry of Commerce",
|
||
|
"deleted": false,
|
||
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1582700212",
|
||
|
"uuid": "5e318e40-4368-4040-bf75-4888950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1580305984",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e318e40-a670-4cea-b42d-4720950d210f",
|
||
|
"value": "45.32.186.33"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Spoofed domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1580305989",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318e45-9494-4eeb-8166-4333950d210f",
|
||
|
"value": "mci.com-ho.me"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Legitimate domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1582700212",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318e4c-4980-489d-ab08-4dd0950d210f",
|
||
|
"value": "mci.gov.sa"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Associated organization : Saudi Ministry of Health",
|
||
|
"deleted": false,
|
||
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1582700205",
|
||
|
"uuid": "5e318ece-eb38-430b-9235-2768950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1580306126",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e318ece-2d9c-4277-9448-2768950d210f",
|
||
|
"value": "45.32.186.33"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Spoofed domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1580306129",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318ed1-4c04-4b94-b13a-2768950d210f",
|
||
|
"value": "moh.com-ho.me"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Legitimate domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1582700205",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e318ed1-bbb8-47a1-879d-2768950d210f",
|
||
|
"value": "moh.gov.sa"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Associated organization : Saudi Ministry of Labor",
|
||
|
"deleted": false,
|
||
|
"description": "A domain and IP address seen as a tuple in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "domain-ip",
|
||
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1582700199",
|
||
|
"uuid": "5e3190e6-cdc4-4ef3-8ee6-d77d950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1580306662",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e3190e6-dd1c-4a11-b857-d77d950d210f",
|
||
|
"value": "45.32.186.33"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Spoofed domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1580306666",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e3190ea-fc30-49b2-889e-d77d950d210f",
|
||
|
"value": "mol.com-ho.me"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Legitimate domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "domain",
|
||
|
"timestamp": "1582700199",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e3190ea-5944-41c7-8f49-d77d950d210f",
|
||
|
"value": "mol.gov.sa"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Ministry of Health lure (Health_insurance_registration.doc) delivering PupyRAT",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "19",
|
||
|
"timestamp": "1582281744",
|
||
|
"uuid": "5e3193d9-9110-4de4-85c0-4844950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5e3193d9-9110-4de4-85c0-4844950d210f",
|
||
|
"referenced_uuid": "83aabfa5-efd1-401e-a84d-75ab6ab670f0",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "5e4fb435-87a8-44ee-be84-47ad950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1580307940",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5e3193d9-3274-4039-a156-4844950d210f",
|
||
|
"value": "1b5e33e5a244d2d67d7a09c4ccf16e56"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1580307946",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5e3195ea-0514-4401-bdd1-f1bd950d210f",
|
||
|
"value": "66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1580307953",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5e3195f1-0a2c-4fdc-ae3b-f1bd950d210f",
|
||
|
"value": "934c51ff1ea00af2cb3b8465f0a3effcf759d866"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "PupyRAT (pupyx86.dll) ",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "19",
|
||
|
"timestamp": "1582281745",
|
||
|
"uuid": "5e319643-2f90-4bf1-89f5-7f0b950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5e319643-2f90-4bf1-89f5-7f0b950d210f",
|
||
|
"referenced_uuid": "e5e73bc0-efa0-484e-8086-0f3137f470e3",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "5e4fb435-7134-495c-86d1-48c9950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1580308035",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5e319643-9e1c-4e62-9e51-7f0b950d210f",
|
||
|
"value": "97cb7dc1395918c2f3018c109ab4ea5b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1580308040",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5e319648-0760-46c7-8fe5-7f0b950d210f",
|
||
|
"value": "pupyx86.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1580308046",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5e31964e-11c4-45ad-9f8e-7f0b950d210f",
|
||
|
"value": "8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1580308052",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5e319654-88e0-452c-a212-7f0b950d210f",
|
||
|
"value": "3215021976b933ff76ce3436e828286e124e2527"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Password-themed lure (Password_Policy.xlsm) delivering PupyRAT",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "19",
|
||
|
"timestamp": "1582281745",
|
||
|
"uuid": "5e31969e-8ca8-462e-b114-7f1d950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5e31969e-8ca8-462e-b114-7f1d950d210f",
|
||
|
"referenced_uuid": "87cbd279-31f6-474e-92b7-6f1ca9c322c8",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "5e4fb435-9e64-4abc-bfa3-47cb950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1580308127",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5e31969f-ad9c-4559-aacc-7f1d950d210f",
|
||
|
"value": "03ea9457bf71d51d8109e737158be888"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1580308129",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5e3196a1-b288-42bc-9736-7f1d950d210f",
|
||
|
"value": "Password_Policy.xlsm"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1580308135",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5e3196a7-e080-40c1-b384-7f1d950d210f",
|
||
|
"value": "6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1580308141",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5e3196ad-cd84-477f-9fa2-7f1d950d210f",
|
||
|
"value": "d20168c523058c7a82f6d79ef63ea546c794e57b"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Job-themed Word document lure (qhtma) delivering PupyRAT",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "19",
|
||
|
"timestamp": "1582281745",
|
||
|
"uuid": "5e3196dc-2b94-4648-97b0-d77c950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5e3196dc-2b94-4648-97b0-d77c950d210f",
|
||
|
"referenced_uuid": "959f1fb7-4ad0-4407-82e1-0aa582296285",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "5e4fb435-994c-4636-a70b-44d0950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1580308188",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5e3196dc-6c14-4b40-a522-d77c950d210f",
|
||
|
"value": "43fad2d62bc23ffdc6d301571135222c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1580308191",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5e3196df-53e4-46e6-8a69-d77c950d210f",
|
||
|
"value": "e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1580308197",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5e3196e5-a51c-40f7-af2a-d77c950d210f",
|
||
|
"value": "735f5d7ef0c5129f0574bec3cf3d6b06b052744a"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1582281745",
|
||
|
"uuid": "e5e73bc0-efa0-484e-8086-0f3137f470e3",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1580308046",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "4efc3fca-4e47-41d4-9c53-6855fa268695",
|
||
|
"value": "2019-10-06T12:32:49+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1580308046",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "1c2fbc9e-ec53-4563-a2fa-cbc5382a3f1e",
|
||
|
"value": "https://www.virustotal.com/file/8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71/analysis/1570365169/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1580308046",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "2c9d6d4a-d21b-483d-8e06-5a477d379ecd",
|
||
|
"value": "48/68"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1582281768",
|
||
|
"uuid": "83aabfa5-efd1-401e-a84d-75ab6ab670f0",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1580307946",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "bb7e0f82-e140-4983-81f3-1f50292b574a",
|
||
|
"value": "2020-01-27T06:52:25+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1580307946",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "8c5c9af9-34a4-4495-b646-c40794eec2e9",
|
||
|
"value": "https://www.virustotal.com/file/66d24a529308d8ab7b27ddd43a6c2db84107b831257efb664044ec4437f9487b/analysis/1580107945/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1580307946",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "920edadd-fc71-4b17-8faa-66e75327811d",
|
||
|
"value": "42/61"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "87cbd279-31f6-474e-92b7-6f1ca9c322c8",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1580308135",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "20e4a0ed-3bd1-4690-a439-eada2cb6a90a",
|
||
|
"value": "2020-01-16T14:24:18+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1580308135",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "8eb1988e-1d7e-4c00-8988-fbccd32e52ef",
|
||
|
"value": "https://www.virustotal.com/file/6c195ea18c05bbf091f09873ed9cd533ec7c8de7a831b85690e48290b579634b/analysis/1579184658/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1580308135",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3f0c1ac0-fb20-4ecd-922a-cf23a82fd177",
|
||
|
"value": "40/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1582281781",
|
||
|
"uuid": "959f1fb7-4ad0-4407-82e1-0aa582296285",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1580308191",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "53ff6fff-365d-4afa-94dd-bac37560dba3",
|
||
|
"value": "2020-01-15T20:35:20+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1580308191",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "8148d76e-ac8e-4380-b1bb-0d233f81375c",
|
||
|
"value": "https://www.virustotal.com/file/e5b643cb6ec30d0d0b458e3f2800609f260a5f15c4ac66faf4ebf384f7976df6/analysis/1579120520/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1580308191",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "4eb9669c-778b-42fc-a507-99bbd567195d",
|
||
|
"value": "42/59"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|