misp-circl-feed/feeds/circl/misp/544fee45-f108-4fa6-ace9-3989950d210b.json

1298 lines
77 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2014-10-27",
"extends_uuid": "",
"info": "OSINT APT28: A Window into Russia\u00e2\u20ac\u2122s Cyber Espionage Operations? blog post by FireEye",
"publish_timestamp": "1498163632",
"published": true,
"threat_level_id": "2",
"timestamp": "1498163533",
"uuid": "544fee45-f108-4fa6-ace9-3989950d210b",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#33FF00",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:green",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#12e000",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:threat-actor=\"Sofacy\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414524506",
"to_ids": false,
"type": "link",
"uuid": "544fee5a-2d54-45c7-96ae-4193950d210b",
"value": "http://www.fireeye.com/blog/technical/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414524506",
"to_ids": false,
"type": "link",
"uuid": "544fee5a-07ec-4539-803c-4ec7950d210b",
"value": "http://www.fireeye.com/resources/pdfs/apt28.pdf"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414524517",
"to_ids": false,
"type": "text",
"uuid": "544fee65-d4e8-4b02-a4db-073f950d210b",
"value": "APT28"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615650",
"to_ids": false,
"type": "comment",
"uuid": "544fee73-8964-4c74-a279-b8e1950d210b",
"value": "Data entered by David Andr\u00c3\u00a9 with CIRCL collaboration"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526045",
"to_ids": true,
"type": "domain",
"uuid": "544ff45d-2f3c-4809-9279-3989950d210b",
"value": "kavkazcentr.info"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-39b0-4303-9ba7-3989950d210b",
"value": "rnil.am"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-a25c-46b3-9505-3989950d210b",
"value": "standartnevvs.com"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-c6c0-4b28-9733-3989950d210b",
"value": "novinitie.com"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-e07c-4056-99a5-3989950d210b",
"value": "n0vinite.com"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-4d2c-49ab-bf10-3989950d210b",
"value": "qov.hu.com"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-de0c-406b-b09b-3989950d210b",
"value": "q0v.pl"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-3774-4904-9235-3989950d210b",
"value": "nato.nshq.in"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-dc88-4862-a57a-3989950d210b",
"value": "natoexhibitionff14.com"
},
{
"category": "Network activity",
"comment": "Phishing domains",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526046",
"to_ids": true,
"type": "domain",
"uuid": "544ff45e-e8bc-40be-8afc-3989950d210b",
"value": "login-osce.org"
},
{
"category": "Network activity",
"comment": "Phishing hostnames",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615582",
"to_ids": true,
"type": "hostname",
"uuid": "544ff471-3828-428e-90a6-47e1950d210b",
"value": "mail.q0v.pl"
},
{
"category": "Network activity",
"comment": "Phishing hostnames",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615582",
"to_ids": true,
"type": "hostname",
"uuid": "544ff472-726c-4994-bb01-4d53950d210b",
"value": "poczta.mon.q0v.pl"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526082",
"to_ids": true,
"type": "md5",
"uuid": "544ff482-06e0-40ab-a168-52be950d210b",
"value": "272f0fde35dbdfccbca1e33373b3570d"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-93ec-4a79-b783-52be950d210b",
"value": "8b92fe86c5b7a9e34f433a6fbac8bc3a"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-fb00-4642-b300-52be950d210b",
"value": "9eebfebe3987fec3c395594dc57a0c4c"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-dd28-48ac-a3a8-52be950d210b",
"value": "da2a657dc69d7320f2ffc87013f257ad"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-0214-4d43-ae3d-52be950d210b",
"value": "1259c4fe5efd9bf07fc4c78466f2dd09"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-8e0c-4abe-8c30-52be950d210b",
"value": "3b0ecd011500f61237c205834db0e13a"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-3fa0-4d2b-bfa8-52be950d210b",
"value": "5882fda97fdf78b47081cc4105d44f7c"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-af00-4c6c-a454-52be950d210b",
"value": "791428601ad12b9230b9ace4f2138713"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-7b7c-4e49-88c5-52be950d210b",
"value": "ead4ec18ebce6890d20757bb9f5285b1"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-f044-4c5b-a1f8-52be950d210b",
"value": "48656a93f9ba39410763a2196aabc67f"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526083",
"to_ids": true,
"type": "md5",
"uuid": "544ff483-c8dc-4aa7-9aea-52be950d210b",
"value": "8c4fa713c5e2b009114adda758adc445"
},
{
"category": "Network activity",
"comment": "CnC servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526106",
"to_ids": true,
"type": "domain",
"uuid": "544ff49a-5084-4354-bf30-3989950d210b",
"value": "adobeincorp.com"
},
{
"category": "Network activity",
"comment": "CnC servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526106",
"to_ids": true,
"type": "domain",
"uuid": "544ff49a-9d70-430a-a6d7-3989950d210b",
"value": "windows-updater.com"
},
{
"category": "Network activity",
"comment": "CnC servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526106",
"to_ids": true,
"type": "domain",
"uuid": "544ff49a-57fc-4f67-ad9f-3989950d210b",
"value": "adawareblock.com"
},
{
"category": "Network activity",
"comment": "CnC servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526106",
"to_ids": true,
"type": "domain",
"uuid": "544ff49a-dfe0-4466-ba42-3989950d210b",
"value": "windous.kz"
},
{
"category": "Network activity",
"comment": "CnC servers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526106",
"to_ids": true,
"type": "domain",
"uuid": "544ff49a-9920-4e52-8790-3989950d210b",
"value": "wind0ws.kz"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526146",
"to_ids": true,
"type": "email-dst",
"uuid": "544ff4c2-914c-482f-aa29-4c43950d210b",
"value": "lisa.cuddy@wind0ws.kz"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414526146",
"to_ids": true,
"type": "email-dst",
"uuid": "544ff4c2-6e34-48b8-ac27-4730950d210b",
"value": "dr.house@wind0ws.kz"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567513",
"to_ids": false,
"type": "filename",
"uuid": "8041a130-1ead-43b7-9e3d-a8e19057292d",
"value": "Application Data\\Microsoft\\MediaPlayer\\"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567513",
"to_ids": false,
"type": "other",
"uuid": "23755a4c-fdfa-420e-964d-565ce679332f",
"value": "ProcessItem/name: updatewindws.exe"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567513",
"to_ids": false,
"type": "filename",
"uuid": "ef486ea3-4023-4fcc-960a-58eb87d77a03",
"value": "updatewindws.exe"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567513",
"to_ids": false,
"type": "comment",
"uuid": "54509659-ab28-4778-9e1a-449d950d210b",
"value": "long_info: OLDBAIT is a credential harvester. Both the internal strings and logic are obfuscated and are unpacked at startup. It harvests credentials from Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client made by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both email or HTTP to send out the collected credentials."
},
{
"category": "External analysis",
"comment": "OpenIOC import source file",
"data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE0MzhjYWViLTk2ZGQtNDIyNS04NTNjLWZjNTkxMDk4MDk2MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTQzOGNhZWItOTZkZC00MjI1LTg1M2MtZmM1OTEwOTgwOTYxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQxOjQ4WiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPk9MREJBSVQgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5PTERCQUlUIGlzIGEgY3JlZGVudGlhbCBoYXJ2ZXN0ZXIuIEJvdGggdGhlIGludGVybmFsIHN0cmluZ3MgYW5kIGxvZ2ljIGFyZSBvYmZ1c2NhdGVkIGFuZCBhcmUgdW5wYWNrZWQgYXQgc3RhcnR1cC4gSXQgaGFydmVzdHMgY3JlZGVudGlhbHMgZnJvbSBJbnRlcm5ldCBFeHBsb3JlciwgTW96aWxsYSBGaXJlZm94LCBFdWRvcmEsIFRoZSBCYXQhIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIE1vbGRvdmFuIGNvbXBhbnkpLCBhbmQgQmVja3khIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIEphcGFuZXNlIGNvbXBhbnkpLiAgSXQgY2FuIHVzZSBib3RoIGVtYWlsIG9yIEhUVFAgdG8gc2VuZCBvdXQgdGhlIGNvbGxlY3RlZCBjcmVkZW50aWFscy4KPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjAyOjUyWjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0iY2F0ZWdvcnkiPkNyZWRlbnRpYWwgU3RlYWxlcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5PTERCQUlUPC9saW5rPgogICAgPGxpbmsgcmVsPSJsaWNlbnNlIj5BcGFjaGUgMi4wPC9saW5rPgogIDwvbGlua3M+CiAgPGRlZmluaXRpb24+CiAgICA8SW5kaWNhdG9yIGlkPSJlOTkxNmZjMC03ODI1LTRmYTEtOWY2ZC1jNTQwYTVjZjZkNWUiIG9wZXJhdG9yPSJPUiI+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MDQxYTEzMC0xZWFkLTQzYjctOWUzZC1hOGUxOTA1NzI5MmQiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9GdWxsUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5BcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxNZWRpYVBsYXllclw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzNzU1YTRjLWZkZmEtNDIwZS05NjRkLTU2NWNlNjc5MzMyZiIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL25hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZWY0ODZlYTMtNDAyMy00ZmNjLTk2MGEtNThlYjg3ZDc3YTAzIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vRmlsZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567513",
"to_ids": false,
"type": "attachment",
"uuid": "54509659-bbf4-4523-a9db-42a6950d210b",
"value": "a438caeb-96dd-4225-853c-fc5910980961.ioc"
},
{
"category": "External analysis",
"comment": "OpenIOC import source file",
"data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIDBmZjU4YmY5LTFjMDctNDJmNi1iMTM1LWIxOGMxMzlmNjMxYS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iMGZmNThiZjktMWMwNy00MmY2LWIxMzUtYjE4YzEzOWY2MzFhIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE3VDIwOjU0OjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkFQVDI4IERPTUFJTlMgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5Eb21haW5zIHVzZWQgYnkgQVBUMjguPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjA0OjM0WjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iY2ZiNDYyMzQtMDEyYS00M2M4LWE3NjMtZjYzNmMwNTY2MDZlIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNTQ0ODFjNDItZWZmYi00MzZiLWI0ZDItY2ZmMWNiZDA5YTY2IiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRG5zRW50cnlJdGVtIiBzZWFyY2g9IkRuc0VudHJ5SXRlbS9Ib3N0IiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmthdmthemNlbnRyLmluZm88L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9ImI4Yjc0MmQ1LTVkZmYtNGYwZi1iZGE4LTBjODc4YzFkZDFlMSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ybmlsLmFtPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJhZjM2YzliMy1kNTU0LTQ2ZGUtOTUyNS1jMDVhMDc1OWEzOTkiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+c3RhbmRhcnRuZXZ2cy5jb208L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjM4OWM5YzAzLWVhZjQtNDI1OS05NGU1LTYyMzMzNGNlYTI2ZSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkRuc0VudHJ5SXRlbSIgc2VhcmNoPSJEbnNFbnRyeUl0ZW0vSG9zdCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5ub3Zpbml0aWUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJjMTdkMDAxYy1kZjg5LTQwZmYtODdkZS1lODliZGU5ZjE0MjUiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+bjB2aW5pdGUuY29tPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIxMTUwMzFiZi1mMzQyLTRiZDAtOWY5Yy1hNWQ4ZTExMTEyODEiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJEbnNFbnRyeUl0ZW0iIHNlYXJjaD0iRG5zRW50cnlJdGVtL0hvc3QiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+cW92Lmh1LmNvbTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMjAxZGE1YmEtYzMyNy00ZTliLWIwYWYtZGIxNjMyZDc0Mm
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567563",
"to_ids": false,
"type": "attachment",
"uuid": "5450968b-cab4-4442-9cc7-4e1c950d210b",
"value": "0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567621",
"to_ids": false,
"type": "filename",
"uuid": "0195bdbb-61bd-4fdd-bc80-cc130234b0a9",
"value": "netui.dll"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567621",
"to_ids": false,
"type": "other",
"uuid": "d96396b2-672a-4518-87a2-53c66d20676a",
"value": "ProcessItem/SectionList/MemorySection/Name: \\netui.dll"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567621",
"to_ids": false,
"type": "comment",
"uuid": "545096c5-e860-4c9c-97fc-4d8c950d210b",
"value": "long_info: This backdoor has been delivered through the SOURFACE downloader to gain system access for reconnaissance, monitoring, credential theft, and shellcode execution."
},
{
"category": "External analysis",
"comment": "OpenIOC import source file",
"data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE2YzZkYmYwLWQ3MmEtNGYwNy04YjExLTU1NTI3YWVmNDc1NS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTZjNmRiZjAtZDcyYS00ZjA3LThiMTEtNTU1MjdhZWY0NzU1IiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQyOjIxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkVWSUxUT1NTIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+VGhpcyBiYWNrZG9vciBoYXMgYmVlbiBkZWxpdmVyZWQgdGhyb3VnaCB0aGUgU09VUkZBQ0UgZG93bmxvYWRlciB0byBnYWluIHN5c3RlbSBhY2Nlc3MgZm9yIHJlY29ubmFpc3NhbmNlLCBtb25pdG9yaW5nLCBjcmVkZW50aWFsIHRoZWZ0LCBhbmQgc2hlbGxjb2RlIGV4ZWN1dGlvbi48L2Rlc2NyaXB0aW9uPgogIDxrZXl3b3Jkcy8+CiAgPGF1dGhvcmVkX2J5PkZpcmVFeWU8L2F1dGhvcmVkX2J5PgogIDxhdXRob3JlZF9kYXRlPjIwMTQtMTAtMTdUMDI6MDA6NTdaPC9hdXRob3JlZF9kYXRlPgogIDxsaW5rcz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Y2F0ZWdvcnkiPkFQVDwvbGluaz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Z3JvdXAiPkFQVDI4PC9saW5rPgogICAgPGxpbmsgcmVsPSJjYXRlZ29yeSI+QmFja2Rvb3I8L2xpbms+CiAgICA8bGluayByZWw9ImZhbWlseSI+RVZJTFRPU1M8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImM2ZTI1NjdiLTg0NjYtNDRlZC05ZmQyLTJlOTJmNTMyZmEwYyIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjAxOTViZGJiLTYxYmQtNGZkZC1iYzgwLWNjMTMwMjM0YjBhOSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5ldHVpLmRsbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZDk2Mzk2YjItNjcyYS00NTE4LTg3YTItNTNjNjZkMjA2NzZhIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vU2VjdGlvbkxpc3QvTWVtb3J5U2VjdGlvbi9OYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPlxuZXR1aS5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgIDwvSW5kaWNhdG9yPgogIDwvZGVmaW5pdGlvbj4KPC9pb2M+Cg==",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567621",
"to_ids": false,
"type": "attachment",
"uuid": "545096c5-f8c8-49ac-9b71-4e72950d210b",
"value": "a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616373",
"to_ids": true,
"type": "filename",
"uuid": "30842d86-e073-4b6e-a5e0-d6b354f6847a",
"value": "edg6EF885E2.tmp"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567659",
"to_ids": false,
"type": "other",
"uuid": "a0e443e4-6a41-4856-8c14-d1a271ba7b6b",
"value": "ProcessItem/HandleList/Handle/Name: \\Device\\Mailslot\\check_mes_v5555"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567659",
"to_ids": false,
"type": "comment",
"uuid": "545096eb-1e24-4dd2-861e-46b7950d210b",
"value": "long_info: CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This framework allows for a diverse set of capabilities across malware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP."
},
{
"category": "External analysis",
"comment": "OpenIOC import source file",
"data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGJkZjc5MjljLTNmMGItNGZkZC1iY2M1LWI0YTgyNTU0YWQ5Mi5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYmRmNzkyOWMtM2YwYi00ZmRkLWJjYzUtYjRhODI1NTRhZDkyIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIwVDE4OjUwOjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkNIT1BTVElDSyAoUkVQT1JUKTwvc2hvcnRfZGVzY3JpcHRpb24+CiAgPGRlc2NyaXB0aW9uPkNIT1BTVElDSyBpcyBhIGJhY2tkb29yIHRoYXQgdXNlcyBhIG1vZHVsYXJpemVkLCBvYmplY3Qtb3JpZW50ZWQgZnJhbWV3b3JrIHdyaXR0ZW4gaW4gQysrLiBUaGlzIGZyYW1ld29yayBhbGxvd3MgZm9yIGEgZGl2ZXJzZSBzZXQgb2YgY2FwYWJpbGl0aWVzIGFjcm9zcyBtYWx3YXJlIHZhcmlhbnRzIHNoYXJpbmcgYSBjb21tb24gY29kZSBiYXNlLiAgQ0hPUFNUSUNLIG1heSBjb21tdW5pY2F0ZSB3aXRoIGV4dGVybmFsIHNlcnZlcnMgdXNpbmcgU01UUCBvciBIVFRQLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xN1QwMjowMjowMlo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5CYWNrZG9vcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5DSE9QU1RJQ0s8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImRkYzg4MGE0LTM2ZDEtNDUxNC1hZGYxLTNjNWI4ZjRmNmVmOCIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjMwODQyZDg2LWUwNzMtNGI2ZS1hNWUwLWQ2YjM1NGY2ODQ3YSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmVkZzZFRjg4NUUyLnRtcDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYTBlNDQzZTQtNmE0MS00ODU2LThjMTQtZDFhMjcxYmE3YjZiIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vSGFuZGxlTGlzdC9IYW5kbGUvTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5cRGV2aWNlXE1haWxzbG90XGNoZWNrX21lc192NTU1NTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9yIGlkPSIwZmM5ZTUzNC01MzI5LTRhMzEtODVkMi00M2I0MjYyZTFlZDkiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI5NWUyMmVhZC0xM2VmLTQ3OTctYjNiNi1kMDkwMjdkODU2MDIiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlJlZ2lzdHJ5SXRlbSIgc2VhcmNoPSJSZWdpc3RyeUl0ZW0vUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPk1pY3Jvc29mdFxNZWRpYVBsYXllclx7RTY2OTYxMDUtRTYzRS00RUYxLTkzOUUtMTVEREQ4M0I2NjlBfTwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzODg3OThhLWUxZTItNDI1MS1hMDFjLTc5M2QyY2VkYWFhOSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUmVnaXN0cnlJdGVtIiBzZWFyY2g9IlJlZ2lzdHJ5SXRlbS9WYWx1ZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5jaG5ubDwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567659",
"to_ids": false,
"type": "attachment",
"uuid": "545096eb-3080-401b-9a3a-4f7f950d210b",
"value": "bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "5ea9f200-01f1-411e-94e3-49903f14d6f9",
"value": "8c4fa713c5e2b009114adda758adc445"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "3f83ca5b-9a2c-4aeb-94ef-28093f6709f8",
"value": "3b0ecd011500f61237c205834db0e13a"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "3fe4547e-5e19-4bb3-9792-eb382de45eb0",
"value": "791428601ad12b9230b9ace4f2138713"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "020e58f2-e4f2-4801-b731-d26589bd96b6",
"value": "5882fda97fdf78b47081cc4105d44f7c"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "b48a7011-59d9-4c53-8d6c-2710d705b0c6",
"value": "48656a93f9ba39410763a2196aabc67f"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "9106bde9-52f4-49db-86a1-13f4363bc029",
"value": "9eebfebe3987fec3c395594dc57a0c4c"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "8253e6f6-4248-4751-a818-f5d77efd469c",
"value": "8b92fe86c5b7a9e34f433a6fbac8bc3a"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "b707e318-bb58-4965-be62-a15ccf896891",
"value": "ead4ec18ebce6890d20757bb9f5285b1"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "51c11809-d0be-45e0-a035-e5d63686e889",
"value": "1259c4fe5efd9bf07fc4c78466f2dd09"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "21169314-ed29-4148-a70e-e9798894ea55",
"value": "272f0fde35dbdfccbca1e33373b3570d"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "other",
"uuid": "87ba0439-df69-4c21-9013-be773de352ce",
"value": "ProcessItem/SectionList/MemorySection/Name: AppData\\Local\\conhost.dll"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "other",
"uuid": "2660589c-6263-44e1-b4de-484db317f93c",
"value": "ProcessItem/SectionList/MemorySection/Name: Local Settings\\Application Data\\conhost.dll"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "other",
"uuid": "e3fad633-2b34-4bdb-864e-be495f549e2a",
"value": "ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName: coreshell.dll"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "other",
"uuid": "820fc95e-3d6f-4771-a592-fb60811fa0c0",
"value": "ProcessItem/SectionList/MemorySection/Name: \\netids.dll"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "filename",
"uuid": "e704246d-ecca-4ac5-82a7-404c93aab893",
"value": "Local Settings\\Application Data\\svchost.exe"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "filename",
"uuid": "91b06096-1333-470f-8d49-f408b51d84a1",
"value": "Local Settings\\Application Data\\conhost.dll"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "filename",
"uuid": "37148f5b-fff5-4c9e-98aa-f52fb01a3547",
"value": "AppData\\Local\\svchost.exe"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567718",
"to_ids": false,
"type": "filename",
"uuid": "09dd2172-ed97-433f-9c59-517161b78b2d",
"value": "AppData\\Local\\conhost.dll"
},
{
"category": "Network activity",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567719",
"to_ids": false,
"type": "ip-src",
"uuid": "590e7aef-7df8-47cd-916a-360d83f132f5",
"value": "70.85.221.10"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567719",
"to_ids": false,
"type": "filename",
"uuid": "5fa65919-9467-4de8-9cb7-8574ff86b85d",
"value": "netids.dll"
},
{
"category": "Payload installation",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615546",
"to_ids": true,
"type": "md5",
"uuid": "ec771d67-32c0-4076-8e9f-d9ce6b9f2a80",
"value": "da2a657dc69d7320f2ffc87013f257ad"
},
{
"category": "Other",
"comment": "OpenIOC import",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567719",
"to_ids": false,
"type": "comment",
"uuid": "54509725-4978-4706-bf95-4638950d210b",
"value": "long_info: SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, usually compiled with the DLL name 'coreshell.dll'. These variants are distinct from the older versions so we refer to it as SOURFACE/CORESHELL or simply CORESHELL."
},
{
"category": "External analysis",
"comment": "OpenIOC import source file",
"data": "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGUxY2JmN2NhLTQ5MzgtNGQzYy1hN2U2LTNmZjk2NjUxNjE5MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iZTFjYmY3Y2EtNDkzOC00ZDNjLWE3ZTYtM2ZmOTY2NTE2MTkxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIxVDEzOjA4OjQxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPlNPVVJGQUNFIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+U09VUkZBQ0UgaXMgYSBkb3dubG9hZGVyIHRoYXQgb2J0YWlucyBhIHNlY29uZC1zdGFnZSBiYWNrZG9vciBmcm9tIGEgQzIgc2VydmVyLiAgT3ZlciB0aW1lIHRoZSBkb3dubG9hZGVyIGhhcyBldm9sdmVkIGFuZCB0aGUgbmV3ZXIgdmVyc2lvbnMsIHVzdWFsbHkgY29tcGlsZWQgd2l0aCB0aGUgRExMIG5hbWUgJ2NvcmVzaGVsbC5kbGwnLiAgVGhlc2UgdmFyaWFudHMgYXJlIGRpc3RpbmN0IGZyb20gdGhlIG9sZGVyIHZlcnNpb25zIHNvIHdlIHJlZmVyIHRvIGl0IGFzIFNPVVJGQUNFL0NPUkVTSEVMTCBvciBzaW1wbHkgQ09SRVNIRUxMLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xNlQyMDo1ODoyMVo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5Eb3dubG9hZGVyPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFPC9saW5rPgogICAgPGxpbmsgcmVsPSJmYW1pbHkiPlNPVVJGQUNFLkNPUkVTSEVMTDwvbGluaz4KICAgIDxsaW5rIHJlbD0ibGljZW5zZSI+QXBhY2hlIDIuMDwvbGluaz4KICA8L2xpbmtzPgogIDxkZWZpbml0aW9uPgogICAgPEluZGljYXRvciBpZD0iZTE2ZTYyOTktZjc1Yi00MjIzLThkOGQtMjkwY2QwYmYxYjQxIiBvcGVyYXRvcj0iT1IiPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iNWVhOWYyMDAtMDFmMS00MTFlLTk0ZTMtNDk5MDNmMTRkNmY5IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjhjNGZhNzEzYzVlMmIwMDkxMTRhZGRhNzU4YWRjNDQ1PC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSIzZjgzY2E1Yi05YTJjLTRhZWItOTRlZi0yODA5M2Y2NzA5ZjgiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9NZDVzdW0iIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9Im1kNSI+M2IwZWNkMDExNTAwZjYxMjM3YzIwNTgzNGRiMGUxM2E8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjNmZTQ1NDdlLTVlMTktNGJiMy05NzkyLWViMzgyZGU0NWViMCIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL01kNXN1bSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ibWQ1Ij43OTE0Mjg2MDFhZDEyYjkyMzBiOWFjZTRmMjEzODcxMzwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iMDIwZTU4ZjItZTRmMi00ODAxLWI3MzEtZDI2NTg5YmQ5NmI2IiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vTWQ1c3VtIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJtZDUiPjU4ODJmZGE5N2ZkZjc4YjQ3MDgxY2M0MTA1ZDQ0ZjdjPC9Db250ZW50PgogICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSJiNDhhNzAxMS01OWQ5LTRjNTMtOGQ2Yy0yNzEwZDcwNWIwYzYiIGNvbmRpdGlvbj0iaXMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2
"deleted": false,
"disable_correlation": false,
"timestamp": "1414567719",
"to_ids": false,
"type": "attachment",
"uuid": "54509725-678c-4a8c-a283-4c8c950d210b",
"value": "e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-0784-49fe-bdff-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/tree/master/APT28"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-3364-46b3-9145-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-b254-4a77-8bc0-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-b94c-41ae-9be0-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-354c-4406-8bde-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-24ac-4754-a2a6-b9b0950d210b",
"value": "https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-969c-4f4b-a2c1-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-dd3c-426c-ae5a-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-60d4-4a77-b1c4-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-bbc8-45b9-899f-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615410",
"to_ids": false,
"type": "link",
"uuid": "54515172-e024-4106-9098-b9b0950d210b",
"value": "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414615472",
"to_ids": true,
"type": "domain",
"uuid": "545151b0-b7b4-4d33-a3c6-6181950d210b",
"value": "smigroup-online.co.uk"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616303",
"to_ids": false,
"type": "text",
"uuid": "545154ef-0bac-4215-ba2d-4ab3950d210b",
"value": "OLDBAIT"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616303",
"to_ids": false,
"type": "text",
"uuid": "545154ef-3db8-4a5a-9726-47c9950d210b",
"value": "EVILTOSS"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616303",
"to_ids": false,
"type": "text",
"uuid": "545154ef-3854-4a2b-9b51-403e950d210b",
"value": "CHOPSTICK"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616303",
"to_ids": false,
"type": "text",
"uuid": "545154ef-7dfc-4e2c-88b8-4fab950d210b",
"value": "SOURFACE"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616475",
"to_ids": true,
"type": "domain",
"uuid": "5451559b-be98-46ff-9f68-800f950d210b",
"value": "g0v.pl"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616475",
"to_ids": true,
"type": "domain",
"uuid": "5451559b-5a28-4c55-ba34-800f950d210b",
"value": "nshq.in"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616475",
"to_ids": true,
"type": "domain",
"uuid": "5451559b-69cc-4db0-a51c-800f950d210b",
"value": "baltichost.org"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616529",
"to_ids": true,
"type": "hostname",
"uuid": "545155d1-e76c-4f65-aae3-b9b0950d210b",
"value": "mail.g0v.pl"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1414616529",
"to_ids": true,
"type": "hostname",
"uuid": "545155d1-4304-461e-9615-b9b0950d210b",
"value": "nato.nshq.in"
},
{
"category": "External analysis",
"comment": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833017",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fb9-0644-4c76-b9d5-c653950d210f",
"value": "f5b3e98c6b5d65807da66d50bd5730d35692174d"
},
{
"category": "External analysis",
"comment": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833020",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fbc-c38c-4ebe-a6b2-40e8950d210f",
"value": "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
},
{
"category": "External analysis",
"comment": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833023",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fbf-d514-4dbf-b3dc-599c950d210f",
"value": "ed48ef531d96e8c7360701da1c57e2ff13f12405"
},
{
"category": "External analysis",
"comment": "Automatically added (via 791428601ad12b9230b9ace4f2138713)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833025",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fc1-5308-452f-8ea2-4958950d210f",
"value": "367d40465fd1633c435b966fa9b289188aa444bc"
},
{
"category": "External analysis",
"comment": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833028",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fc4-59e8-4951-8576-c652950d210f",
"value": "cf3220c867b81949d1ce2b36446642de7894c6dc"
},
{
"category": "External analysis",
"comment": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833030",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fc6-f364-4e59-a679-c650950d210f",
"value": "682e49efa6d2549147a21993d64291bfa40d815a"
},
{
"category": "External analysis",
"comment": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833033",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fc9-2818-407f-8c13-42f1950d210f",
"value": "d9c53adce8c35ec3b1e015ec8011078902e6800b"
},
{
"category": "External analysis",
"comment": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833036",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fcc-fa60-440b-bb3f-59a1950d210f",
"value": "6316258ca5ba2d85134ad7427f24a8a51ce4815b"
},
{
"category": "External analysis",
"comment": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833039",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fcf-2d28-4d26-b266-c652950d210f",
"value": "e2450dffa675c61aa43077b25b12851a910eeeb6"
},
{
"category": "External analysis",
"comment": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833041",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fd1-439c-4d04-9e0d-c651950d210f",
"value": "85522190958c82589fa290c0835805f3d9a2f8d6"
},
{
"category": "External analysis",
"comment": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833044",
"to_ids": true,
"type": "sha1",
"uuid": "56c63fd4-1d2c-453b-873d-5ca1950d210f",
"value": "d87b310aa81ae6254fff27b7d57f76035f544073"
},
{
"category": "External analysis",
"comment": "Automatically added (via 8c4fa713c5e2b009114adda758adc445)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833019",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fbb-19c0-43af-a6b7-599f950d210f",
"value": "d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a"
},
{
"category": "External analysis",
"comment": "Automatically added (via 48656a93f9ba39410763a2196aabc67f)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833021",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fbd-3ca8-4b5b-91d1-4b0d950d210f",
"value": "c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946"
},
{
"category": "External analysis",
"comment": "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833024",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fc0-ec50-4ce9-95e1-599d950d210f",
"value": "7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683"
},
{
"category": "External analysis",
"comment": "Automatically added (via 791428601ad12b9230b9ace4f2138713)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833026",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fc2-d3a8-4484-977c-44e8950d210f",
"value": "29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787"
},
{
"category": "External analysis",
"comment": "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833029",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fc5-4654-4248-b045-599c950d210f",
"value": "744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39"
},
{
"category": "External analysis",
"comment": "Automatically added (via 3b0ecd011500f61237c205834db0e13a)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833032",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fc8-fe70-4a09-8e89-c651950d210f",
"value": "7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965"
},
{
"category": "External analysis",
"comment": "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833034",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fca-b464-4f85-8926-59a2950d210f",
"value": "102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a"
},
{
"category": "External analysis",
"comment": "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833037",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fcd-0868-4b54-a95d-5ca1950d210f",
"value": "d54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7"
},
{
"category": "External analysis",
"comment": "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833040",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fd0-08cc-4889-8343-4d32950d210f",
"value": "e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75"
},
{
"category": "External analysis",
"comment": "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833042",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fd2-40b8-4459-8d9a-c653950d210f",
"value": "03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69"
},
{
"category": "External analysis",
"comment": "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455833045",
"to_ids": true,
"type": "sha256",
"uuid": "56c63fd5-98f8-4ed5-bc19-c654950d210f",
"value": "423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f"
}
]
}
}