2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-01-11" ,
"extends_uuid" : "" ,
"info" : "ServHelper and FlawedGrace - New malware introduced by TA505" ,
"publish_timestamp" : "1547235309" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1547235254" ,
"uuid" : "5c38eb9d-a470-4466-8aa5-461802de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234229" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c38ebb5-2b1c-43f9-b582-4ce402de0b81" ,
"value" : "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234265" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c38ebd9-1e0c-47f9-b3de-4e5f02de0b81" ,
"value" : "For much of 2018, we observed threat actors increasingly distributing downloaders, backdoors, information stealers, remote access Trojans (RATs), and more as they abandoned ransomware as their primary payload. In November 2018, TA505, a prolific actor that has been at the forefront of this trend, began distributing a new backdoor we named \u00e2\u20ac\u0153ServHelper\u00e2\u20ac\u009d. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader. Additionally we have observed the downloader variant download a malware we call \u00e2\u20ac\u0153FlawedGrace.\u00e2\u20ac\u009d FlawedGrace is a full-featured RAT that we first observed in November 2017. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families. This targeting falls in line with other activity we reported earlier in 2018.[1] [2]"
} ,
{
"category" : "Payload delivery" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign attachment" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234344" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ec28-4288-404a-8d79-409502de0b81" ,
"value" : "52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c"
} ,
{
"category" : "Network activity" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign payload" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234345" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ec29-ca90-4d61-b587-483402de0b81" ,
"value" : "http://officemysuppbox.com/staterepository"
} ,
{
"category" : "Payload delivery" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234345" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ec29-cbcc-426b-a112-479a02de0b81" ,
"value" : "1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8"
} ,
{
"category" : "Network activity" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234433" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ec81-8114-453f-a76f-462c02de0b81" ,
"value" : "https://checksolutions.pw/ghuae/huadh.php"
} ,
{
"category" : "Network activity" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234434" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ec82-7328-43ae-a83c-4e0d02de0b81" ,
"value" : "https://rgoianrdfa.pw/ghuae/huadh.php"
} ,
{
"category" : "Network activity" ,
"comment" : "November 9 \u00e2\u20ac\u0153Tunnel\u00e2\u20ac\u009d campaign ServHelper C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234436" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ec84-6238-4587-a4c2-47e802de0b81" ,
"value" : "https://arhidsfderm.pw/ghuae/huadh.php"
} ,
{
"category" : "Payload delivery" ,
"comment" : "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign attachment" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234502" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ecc6-ad9c-4c16-8b57-406702de0b81" ,
"value" : "eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4"
} ,
{
"category" : "Network activity" ,
"comment" : "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign payload" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234503" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ecc7-3d94-48ef-86dd-4af602de0b81" ,
"value" : "http://offficebox.com/host32"
} ,
{
"category" : "Payload delivery" ,
"comment" : "November 15 \u00e2\u20ac\u0153Downloader\u00e2\u20ac\u009d campaign ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234504" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ecc8-9afc-4b51-a387-462b02de0b81" ,
"value" : "3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign attachment" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234632" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ed48-9170-4e7a-9c80-457902de0b81" ,
"value" : "f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac"
} ,
{
"category" : "Network activity" ,
"comment" : "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign payload" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234633" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed49-f930-49d8-a74d-479002de0b81" ,
"value" : "http://office365onlinehome.com/host32"
} ,
{
"category" : "Payload delivery" ,
"comment" : "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234635" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ed4b-94a4-4a0a-99ed-493702de0b81" ,
"value" : "d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58"
} ,
{
"category" : "Network activity" ,
"comment" : "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign ServHelper C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234636" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed4c-1850-4b83-acff-41a902de0b81" ,
"value" : "https://afgdhjkrm.pw/aggdst/Hasrt.php"
} ,
{
"category" : "Payload delivery" ,
"comment" : "December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234637" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ed4d-4cfc-4dcb-9589-426502de0b81" ,
"value" : "efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74"
} ,
{
"category" : "Network activity" ,
"comment" : "On port 443 - December 13 \u00e2\u20ac\u0153FlawedGrace\u00e2\u20ac\u009d campaign FlawedGrace C&C" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234638" ,
"to_ids" : true ,
"type" : "ip-dst|port" ,
"uuid" : "5c38ed4e-a218-45c1-8b89-417302de0b81" ,
"value" : "46.161.27.241|443"
} ,
{
"category" : "Payload delivery" ,
"comment" : "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234683" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38ed7b-e224-4af8-9dc7-42ee02de0b81" ,
"value" : "9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579"
} ,
{
"category" : "Network activity" ,
"comment" : "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234684" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed7c-9934-48fb-bd11-468502de0b81" ,
"value" : "http://dedsolutions.bit/sav/s.php"
} ,
{
"category" : "Network activity" ,
"comment" : "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234684" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed7c-c294-4a13-8ca0-4a6c02de0b81" ,
"value" : "http://dedoshop.pw/sav/s.php"
} ,
{
"category" : "Network activity" ,
"comment" : "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234685" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed7d-78a4-4209-9d86-487802de0b81" ,
"value" : "http://asgaage.pw/sav/s.php"
} ,
{
"category" : "Network activity" ,
"comment" : "\u00e2\u20ac\u0153sethijack\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234685" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38ed7d-5044-42a1-ad79-448802de0b81" ,
"value" : "http://sghee.pw/sav/s.php"
} ,
{
"category" : "Payload delivery" ,
"comment" : "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234729" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c38eda9-e79c-4d21-81f8-f12202de0b81" ,
"value" : "a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549"
} ,
{
"category" : "Network activity" ,
"comment" : "\u00e2\u20ac\u0153loaddll\u00e2\u20ac\u009d command ServHelper" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1547234730" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c38edaa-4f38-4119-9419-f12202de0b81" ,
"value" : "https://vesecase.com/support/form.php"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235223" ,
"uuid" : "93f50fcd-264a-4734-b4c0-bfec7f37860f" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "93f50fcd-264a-4734-b4c0-bfec7f37860f" ,
"referenced_uuid" : "42ba88bf-bca8-4ff2-b33d-d23ce9877340" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-6818-4ef5-877b-461c02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235223" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d37db0d8-0b47-4dcf-974f-9139ab53714a" ,
"value" : "4b9054475ff9aa15be35b42264715354"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235223" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "a7f9f74d-cabb-4dab-a78e-ac7d84332fab" ,
"value" : "a088dfaee1779878353a1dc347a91a892e5dfd74"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235224" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "9fa0c5b3-d24b-4a0d-8535-65945b8de58c" ,
"value" : "efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235224" ,
"uuid" : "42ba88bf-bca8-4ff2-b33d-d23ce9877340" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235225" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "8a72aaeb-4f03-47e2-a3e4-adb505a7051b" ,
"value" : "2019-01-11T18:46:42"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235225" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "7156ecf8-44d3-4ea7-b9ea-f06a090614d6" ,
"value" : "https://www.virustotal.com/file/efcee275d23b6e71589452b1cb3095ff92b10ab68cd07957b2ad6be587647b74/analysis/1547232402/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235225" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "08a7810c-0763-4997-b152-80ddfc699815" ,
"value" : "27/63"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235225" ,
"uuid" : "c14e45cb-8dfc-4140-b541-135402f6af96" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "c14e45cb-8dfc-4140-b541-135402f6af96" ,
"referenced_uuid" : "7d6c516a-90e2-4597-9b08-c10fa4cd2a81" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-9c70-4f52-a04e-42ea02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235226" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "06d4e9eb-a98f-4a85-b936-ec5eb0e0e835" ,
"value" : "daf7d35eeed3058c821bde464913f9ca"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235226" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "6fe88569-9df9-49c5-a6c0-8d6a428b9b9b" ,
"value" : "e2c8cb0d6a89b995a9ec77b2838863c08e33d6a5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235226" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b5f72d32-8b4a-4aff-b7a4-a82d4bea94a3" ,
"value" : "9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235227" ,
"uuid" : "7d6c516a-90e2-4597-9b08-c10fa4cd2a81" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235227" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "589de291-5218-445f-8af9-6b3e8e0d4cf1" ,
"value" : "2019-01-11T09:15:15"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235228" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e9665877-4b83-4dcb-b524-c1ec6348aaa3" ,
"value" : "https://www.virustotal.com/file/9fccd107bd0aee3a2f39ad76a49758309c95545d8154b808eec24d2b51dc4579/analysis/1547198115/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235228" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0a6d3f73-b8f8-4f65-90ca-e98976f2b898" ,
"value" : "43/68"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235228" ,
"uuid" : "35fdb030-5cd9-4621-b76c-2dfab467bc3b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "35fdb030-5cd9-4621-b76c-2dfab467bc3b" ,
"referenced_uuid" : "c8cbc23d-0f33-4643-977f-fe2fd3da8a19" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-0900-4615-8cba-4f7a02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235228" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5783ce23-2253-4595-bafa-4b4e6d209b7e" ,
"value" : "5cd4aecb962528166ad1a0b72f675c44"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235229" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "67f6728e-466f-4dc7-9da1-6cde3a9058c5" ,
"value" : "1242dc4d1ece26ef15dc3bdb8ed13e8b04d6a178"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235229" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "f8d4664e-189d-4b53-afc6-e7c5482defc4" ,
"value" : "1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235230" ,
"uuid" : "c8cbc23d-0f33-4643-977f-fe2fd3da8a19" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235230" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c41b5480-eac8-4ba5-b286-a39a2b93b45a" ,
"value" : "2019-01-11T09:32:27"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235230" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5e9a3b2e-2b50-4563-9093-17602afa0130" ,
"value" : "https://www.virustotal.com/file/1b0859ddbdebcb9d2bb46de00d73aa21bc617614b8123054426556783b211bc8/analysis/1547199147/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235231" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "69071e5c-1be3-4edf-b07b-f87e150428b7" ,
"value" : "43/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235231" ,
"uuid" : "0d6c7429-1495-4d3f-bfe1-d3834a273606" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "0d6c7429-1495-4d3f-bfe1-d3834a273606" ,
"referenced_uuid" : "9dd16ec7-f062-459f-968c-c5bb43d3a327" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-f7cc-4ea3-aa55-4e0002de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235231" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "cbfd2fb5-184f-4052-9cec-f7e1dc9d1ef4" ,
"value" : "db0b9554ef0c4b3004c2cdb43a9fb020"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235231" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "36a32ac2-0ab1-4d9c-ad07-111851271352" ,
"value" : "2f760f967f042827cda567fa07713371d746aa11"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235232" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8aaa4d01-99d0-403b-8a3f-f6a26d52c502" ,
"value" : "52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235232" ,
"uuid" : "9dd16ec7-f062-459f-968c-c5bb43d3a327" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235232" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d4da3848-cf16-4df4-9301-83f9b703e5a0" ,
"value" : "2019-01-11T09:02:13"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235233" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "75d2b444-f984-4e6b-b32b-5f6588f4eb5c" ,
"value" : "https://www.virustotal.com/file/52c72a9de2f6e892f07827add85ad913b0541cd5c8449aadc2722f8eb75e548c/analysis/1547197333/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235233" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "1d1f3b46-6c15-4450-9871-039ddc29078f" ,
"value" : "37/58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235233" ,
"uuid" : "dc0e2eae-79dc-496c-8e6f-51c6a3f7b419" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "dc0e2eae-79dc-496c-8e6f-51c6a3f7b419" ,
"referenced_uuid" : "8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-f914-4e0f-a194-41b602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235233" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "da4090ad-66ca-4b0a-bf25-167cfef511a5" ,
"value" : "a6563a927d925b1231deaa090403bc9a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235234" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "f094be33-d8e9-40ff-9907-4405b8e1d4fb" ,
"value" : "e501be071953aa308faad656cfa2d73a3902d8a4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235234" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "b7555159-7a4f-48d7-a8df-15808f42980b" ,
"value" : "a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235235" ,
"uuid" : "8d3be9f6-584f-4b1d-bfbf-c9dff2c08ad7" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235235" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d0f5ecbe-6c20-4b4d-8170-ba4e93d94ebb" ,
"value" : "2019-01-11T09:12:29"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235235" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "cb9a7cb0-5e67-4e8d-a706-4ea332ac156e" ,
"value" : "https://www.virustotal.com/file/a9492312f1258567c3633ed077990fe053776cd576aa60ac7589c6bd7829d549/analysis/1547197949/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235236" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8c082351-3562-4c7e-b5bf-057e81fad3da" ,
"value" : "30/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235236" ,
"uuid" : "9e493185-b642-4a33-9cc1-0b141391605d" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "9e493185-b642-4a33-9cc1-0b141391605d" ,
"referenced_uuid" : "6624c405-ed32-4075-9501-29967d631716" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-9c04-4fef-b4e6-47e702de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235236" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "0047f237-4e10-4df8-a694-39b6990e5674" ,
"value" : "bf4ea62bb7117b1d5f31873c84a95f5a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235236" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0e2f24dc-bc59-4b7e-8369-d398ca89e570" ,
"value" : "3fc7d7f1d47b2ac971d778f580cf64a112127aa9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235237" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2d9e790e-ffd3-4195-a175-b3440e718d2c" ,
"value" : "f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235237" ,
"uuid" : "6624c405-ed32-4075-9501-29967d631716" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235237" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "f70d9f53-8238-4721-9518-5eddacb58d1b" ,
"value" : "2019-01-11T10:52:12"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235238" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "d34102bb-440b-4393-b738-9ae187d0fefe" ,
"value" : "https://www.virustotal.com/file/f4b9219f329803dd45afd5646351de456e608dd946830c961ec66c6c25e52cac/analysis/1547203932/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235238" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b35598ba-ea92-4b89-97ae-fe5379e4a3f7" ,
"value" : "9/58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235238" ,
"uuid" : "40d64a11-4524-4a53-b736-9326233a65d9" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "40d64a11-4524-4a53-b736-9326233a65d9" ,
"referenced_uuid" : "6a7c6829-6213-4f4a-9141-eb2394cd32a7" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-df38-4b99-b8e1-4b0402de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235238" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "28103ef5-bc72-4611-a1bc-b7f4ee871232" ,
"value" : "0f459932b21d0c6dfcc199951058c0a5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235239" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "c02f4009-4a3d-4df8-9888-7839fa1b1e62" ,
"value" : "9ff00fe5f0921a6a591b7db3a1838834348e123d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235239" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5af6bd13-94a4-4baf-a393-5de82bea149f" ,
"value" : "3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235241" ,
"uuid" : "6a7c6829-6213-4f4a-9141-eb2394cd32a7" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235241" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a508cd3f-eb30-450e-82ea-6eac3d988f84" ,
"value" : "2019-01-11T09:13:28"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235242" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "7138648d-6ba2-4f2d-aeca-1fe74de7801e" ,
"value" : "https://www.virustotal.com/file/3cd7e0a8321259e8446b2a9da775aae674715c74ff4923cfc8ec5102f380d41a/analysis/1547198008/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235243" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5466e6ec-78e0-4762-bb46-3112333840a2" ,
"value" : "40/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235243" ,
"uuid" : "4170ad0b-e0f8-4246-8505-63d85a0e84bd" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "4170ad0b-e0f8-4246-8505-63d85a0e84bd" ,
"referenced_uuid" : "8d4ff865-dbce-44b3-86ac-0e461519ea20" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-1220-45d5-a097-469502de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235243" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "859b804b-5434-418f-9873-587ecf464add" ,
"value" : "b811a63eaa3f6a76d4176a64655c086f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235245" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "9f794af6-9c18-4ee3-a960-c4b7ccd8a8e0" ,
"value" : "45f3b9f49d4c680de6fdede99427289a11317aa0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235246" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "47de8a0b-b871-402e-83d8-7aa9667ef3fb" ,
"value" : "eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235247" ,
"uuid" : "8d4ff865-dbce-44b3-86ac-0e461519ea20" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235247" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c6f3b4ea-17b4-4132-99eb-5bcbd85146db" ,
"value" : "2019-01-11T09:09:08"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235249" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c4776a4-dbe9-4950-8a7e-81a4f9519100" ,
"value" : "https://www.virustotal.com/file/eb66ebb95a3dcecae64c61f611a9332fbf460d1b8039d3ab7e4f220104a4bec4/analysis/1547197748/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235250" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "832ae984-cfdb-4ba3-a7d7-ce24471b9b48" ,
"value" : "35/58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1547235250" ,
"uuid" : "6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "6ef8a2ea-6ae3-4fa0-afe7-bdb2e9607a56" ,
"referenced_uuid" : "027e06a2-ba9d-4604-9a8d-5230c140eae8" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1547235257" ,
"uuid" : "5c38efb9-11f8-41b2-b7f7-474a02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1547235250" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "c1611d5c-08e6-4db5-943a-59d63bfd0111" ,
"value" : "c4a201a6f5e07136923f824bda4cd54f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1547235251" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "e1173c46-d6e8-4489-b971-70e7b634d79b" ,
"value" : "a0bcdb0ce8999bfb75723236e15e4f557a784743"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1547235253" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56acae1c-f536-4fe7-aa3e-8c4ed91abed9" ,
"value" : "d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1547235254" ,
"uuid" : "027e06a2-ba9d-4604-9a8d-5230c140eae8" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1547235254" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "73a12bc5-bfd2-4c6d-b138-4b6258f0dd17" ,
"value" : "2019-01-11T10:52:31"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1547235255" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "c043dc85-8fc5-4e39-abd0-c8237f97d111" ,
"value" : "https://www.virustotal.com/file/d56429d6d0222022fe8f4cb35a28cd4fb83f87b666a186eb54d9785f01bb4b58/analysis/1547203951/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1547235257" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9213d232-6ae9-4629-8593-4d493d7007ac" ,
"value" : "33/69"
}
]
}
]
}
}