adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5cac8884-5a80-4a5b-b3f9-ada3950d210f.json

1652 lines
88 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2019-04-09",
"extends_uuid": "",
"info": "OSINT - STUXSHOP The Oldest Stuxnet Component Dials Up",
"publish_timestamp": "1554837999",
"published": true,
"threat_level_id": "2",
"timestamp": "1554837719",
"uuid": "5cac8884-5a80-4a5b-b3f9-ada3950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:malpedia=\"Stuxnet\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
},
{
"colour": "#086a00",
chg: [export] updated
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:tool=\"Stuxnet\"",
"relationship_type": ""
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554811041",
"to_ids": false,
"type": "text",
"uuid": "5cac88a1-c61c-43b2-81cb-2bc9950d210f",
"value": "During our research into the GossipGirl Supra Threat Actor (STA) cluster, we discovered apreviously unknown relationship exemplified in an early Stuxnet component \u00e2\u20ac\u201cbuilt in part on theFlowershop malware framework. While other known versions of Stuxnet were partially linked tothe Flame platform (a.k.a. Flamer, SkyWiper) or the \u00e2\u20ac\u02dcTilded Platform\u00e2\u20ac\u2122 (a.k.a. DuQu), this older1component shares code with Flowershop \u00e2\u20ac\u201can even older malware framework active as early as2002. In an interesting show of longevity, this Stuxnet component \u00e2\u20ac\u201cwhich we\u00e2\u20ac\u2122ve dubbedStuxshop\u00e2\u20ac\u2039\u00e2\u20ac\u201c is configured to communicate with known Stuxnet command-and-control (C&C)servers and even includes logic to suppress dial-up prompts for disconnected (or possiblyairgapped) machines.The value of this recent finding is twofold: First, it suggests that yet another team withits own malware platform was involved in the early development of Stuxnet. And secondly, itsupports the view that Stuxnet is in fact the product of a modular development frameworkmeant to enable collaboration among diverse, independent threat actors. Our recent findings,alongside the outstanding body of previously reported technical analysis on this threat, wouldplace the \u00e2\u20ac\u02dcFlowershop team\u00e2\u20ac\u2122 alongside Equation, Flame, and Duqu as those involved in toolingthe different phases of Stuxnet as an operation active perhaps as early as 2006. Perhaps themost apt metaphor for Stuxnet is that of a \u00e2\u20ac\u02dcplane built as its being flown\u00e2\u20ac\u2122."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554811060",
"to_ids": false,
"type": "link",
"uuid": "5cac88b4-82f0-40c1-bf5c-3009950d210f",
"value": "https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf"
},
{
"category": "Network activity",
"comment": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554812726",
"to_ids": true,
"type": "url",
"uuid": "5cac8f36-c224-4ca1-b482-c1da950d210f",
"value": "http://211.24.237.226/index.php?data="
},
{
"category": "Network activity",
"comment": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554812726",
"to_ids": true,
"type": "url",
"uuid": "5cac8f36-bee8-41f2-97ba-c1da950d210f",
"value": "http://todaysfutbol.com/index.php?data="
},
{
"category": "Network activity",
"comment": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554812726",
"to_ids": true,
"type": "url",
"uuid": "5cac8f36-a064-4c8f-9b64-c1da950d210f",
"value": "http://78.111.169.146/index.php?data="
},
{
"category": "Network activity",
"comment": "Stuxshop samples identified thus far contain four hardcoded C&C servers such as",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554812726",
"to_ids": true,
"type": "url",
"uuid": "5cac8f36-3c18-4fec-8be3-c1da950d210f",
"value": "http://mypremierfutbol.com/index.php?data="
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836031",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea3f-924c-4319-8993-43a302de0b81",
"value": "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836031",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea3f-0ee0-4dd4-a623-418202de0b81",
"value": "1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installer with Embedded Stuxshop",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836051",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea53-f988-4e9c-8d3a-467302de0b81",
"value": "f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836078",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea6e-5a00-489d-aab9-46c502de0b81",
"value": "77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836078",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea6e-74d8-45d6-905e-45ad02de0b81",
"value": "a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803"
},
{
"category": "Payload delivery",
"comment": "Deobfuscated Resource 231/Stuxshop modules",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836098",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea82-abf4-4c0d-907c-4bb402de0b81",
"value": "a248c9eeb8e53bbebce42f55e2bfa71bfc70ffcd9dff3271bfd338e1578f37a1"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "5caceaaa-e558-4992-99be-4a1b02de0b81",
"value": "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "5caceaaa-2ebc-4fbc-bdbe-411802de0b81",
"value": "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "5caceaaa-4660-45bc-92c7-4c9702de0b81",
"value": "683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "5caceaaa-78dc-4a6d-83e6-4ff002de0b81",
"value": "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "5caceaaa-f400-4670-8acd-4c5b02de0b81",
"value": "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554836200",
"to_ids": true,
"type": "yara",
"uuid": "5caceae8-f6cc-4959-97cf-a79102de0b81",
"value": "rule STUXSHOP_OSCheck\r\n{\r\nmeta:\r\nauthor = \"\u00e2\u20ac\u2039 Silas Cutler (havex@Chronicle.Security)\u00e2\u20ac\u2039 \"\r\ndesc = \"\u00e2\u20ac\u2039 Identifies the OS Check function in STUXSHOP and CheshireCat\u00e2\u20ac\u2039 \"\r\nhash = \"\u00e2\u20ac\u2039 c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\u00e2\u20ac\u2039 \"\r\nstrings:\r\n$ = {10 F7 D8 1B C0 83 C0 ?? E9 ?? 01 00 00 39 85 7C FF FF FF 0F 85 ?? 01 00\r\n00 83 BD 70 FF FF FF 04 8B 8D 74 FF FF FF 75 0B 85 C9 0F 85 ?? 01 00 00 6A 05\r\n5E }\r\n$ = {01 00 00 3B FA 0F 84 ?? 01 00 00 80 7D 80 00 B1 62 74 1D 6A 0D 8D 45 80\r\n68 ?? ?? ?? 10 50 FF 15 ?? ?? ?? 10 83 C4 0C B1 6F 85 C0 75 03 8A 4D 8D 8B C6\r\n}\r\ncondition:\r\nany of them\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554837205",
"to_ids": true,
"type": "yara",
"uuid": "5caceed5-75f0-4a37-adbf-4c8702de0b81",
"value": "rule STUXSHOP_config\r\n{\r\n\tmeta:\r\n desc \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"Stuxshop standalone sample configuration\"\r\n author = \"JAG-S (turla@chronicle.security)\"\r\n hash \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039 \"c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579\"\r\n strings:\r\n $cnc1 = \"http://211.24.237.226/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc2 = \"http://todaysfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n $cnc3 = \"http://78.111.169.146/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\"\r\n $cnc4 = \"http://mypremierfutbol.com/index.php?data=\"\u00e2\u20ac\u2039 ascii wide\r\n\r\n\t $regkey1 \u00e2\u20ac\u2039 = \u00e2\u20ac\u2039\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\MS-DOS Emulation\" ascii wide\r\n $regkey2 = \"NTVDMParams\"\u00e2\u20ac\u2039 ascii wide\r\n $flowerOverlap1 = {85 C0 75 3B 57 FF 75 1C FF 75 18 FF 75 14 50 FF 75 10 FF 75 FC FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap2 = {85 C0 75 4C 8B 45 1C 89 45 0C 8D 45 0C 50 8D 45 08 FF 75 18 50 6A 00 FF 75 10 FF 75 20 FF 15\u00e2\u20ac\u2039}\r\n $flowerOverlap3 = {55 8B EC 53 56 8B 75 20 85 F6 74 03 83 26 00 8D 45 20 50 68 19 00 02 00 6A 00 FF 75 0C FF 75 08\u00e2\u20ac\u2039}\r\n $flowerOverlap4 = {55 8B EC 51 8D 4D FC 33 C0 51 50 6A 26 50 89 45 FC FF 15 }\r\n $flowerOverlap5 \u00e2\u20ac\u2039= {85 DB 74 04 8B C3 EB 1A 8B 45 08 3B 45 14 74 07 B8 5D 06 00 00 EB 0B 85 F6 74 05 8B 45 0C 89 06\u00e2\u20ac\u2039}\r\n $flowerOverlap6 = {85 FF 74 12 83 7D F8 01 75 0C FF 75 0C FF 75 08 FF 15\u00e2\u20ac\u2039}\r\n condition:\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $flowerOverlap\u00e2\u20ac\u2039 *)\r\n or\r\n 2\u00e2\u20ac\u2039 of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $cnc\u00e2\u20ac\u2039 *)\r\n or\r\n all of \u00e2\u20ac\u2039 ( \u00e2\u20ac\u2039 $regkey\u00e2\u20ac\u2039 *)\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1554837622",
"to_ids": true,
"type": "regkey",
"uuid": "5cacf076-9a94-4851-83c9-4ecd02de0b81",
"value": "HKEY_CURRENT_USER\\Control Panel\\Appearance\\Old"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "16",
"timestamp": "1554812513",
"uuid": "5cac89aa-7884-4eb1-95fd-4a27950d210f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5cac89aa-7884-4eb1-95fd-4a27950d210f",
"referenced_uuid": "d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"relationship_type": "analysed-with",
"timestamp": "1554811628",
"uuid": "5cac8aec-276c-404c-8a81-ac40950d210f"
},
{
"comment": "",
"object_uuid": "5cac89aa-7884-4eb1-95fd-4a27950d210f",
"referenced_uuid": "5cac8cc9-7984-4dfa-85f8-49af950d210f",
"relationship_type": "connects-to",
"timestamp": "1554812485",
"uuid": "5cac8e45-cc18-4be2-a17b-4d46950d210f"
},
{
"comment": "",
"object_uuid": "5cac89aa-7884-4eb1-95fd-4a27950d210f",
"referenced_uuid": "5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"relationship_type": "connects-to",
"timestamp": "1554812513",
"uuid": "5cac8e61-962c-4264-9ee8-c1da950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554811306",
"to_ids": true,
"type": "md5",
"uuid": "5cac89aa-ca28-4de1-9427-48a1950d210f",
"value": "455abb43295b9a69e355e4e43457bf30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554811306",
"to_ids": true,
"type": "sha256",
"uuid": "5cac89aa-b22c-47d9-a760-43d0950d210f",
"value": "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554811306",
"to_ids": true,
"type": "sha1",
"uuid": "5cac89aa-8bd0-4589-8516-4654950d210f",
"value": "1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1554811306",
"to_ids": false,
"type": "text",
"uuid": "5cac89aa-8bf8-4cbf-b422-490f950d210f",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554811628",
"uuid": "d66ade80-17a6-47a9-9efe-7b5a922dfaa1",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554811306",
"to_ids": false,
"type": "datetime",
"uuid": "fe2cf46c-9b9f-45e4-9909-009d17c89312",
"value": "2019-04-09T09:00:19"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554811306",
"to_ids": false,
"type": "link",
"uuid": "4dc602d6-a883-4d96-9a6d-08d62774f5af",
"value": "https://www.virustotal.com/file/c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579/analysis/1554800419/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554811306",
"to_ids": false,
"type": "text",
"uuid": "6127da9f-dbd0-4a70-b003-f73444bdafa6",
"value": "44/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "16",
"timestamp": "1554812463",
"uuid": "5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"referenced_uuid": "5cac8cc9-7984-4dfa-85f8-49af950d210f",
"relationship_type": "connects-to",
"timestamp": "1554812432",
"uuid": "5cac8e10-38c4-42b4-a552-4366950d210f"
},
{
"comment": "",
"object_uuid": "5cac8b2f-87ec-4432-bb7d-2c32950d210f",
"referenced_uuid": "5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"relationship_type": "connects-to",
"timestamp": "1554812462",
"uuid": "5cac8e2e-88ec-44a9-b574-43de950d210f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAAhhiU6Cbwf/0UoAAAgbAQAgABwANDU1YWJiNDMyOTViOWE2OWUzNTVlNGU0MzQ1N2JmMzBVVAkAAy+LrFwvi6xcdXgLAAEEIQAAAAQhAAAAXWx30pzG0qXDihDntIGFcB3uLBJt8j5oo/CZ15N7nYm4UomLesE9trJgBKvo1hLoz6nVvw7+uWaRJIF9akwxNcmO5J0kZJpLFJ52CRLnQSyZMCi+5x5ntEjZ+ELbAVQLzZuGYIUp2tnIkrNW6zq6Bjyh+meeaYQcFOOO+W7ODf1zCvembSyd6KbCjGRtmUosbFHDRGRNY0QPnGv88X3YTBSq4l5KylxKRfV6mbqFFd9r0p9m5d5aTUeG3/mdjqZF5ydDMj+fw8jLe5Ebnghy5yA855hgedP7fNyohVRQH5m47prWus9WFOspnyC9tQHaTTPwI4edeCwPZV0CmcIlJfL/+VSgY0XVfGFu7hyj/uOqOvnA3LilY6lGOmEY174vu55150aOgGVkaKY8a8DWilcN8jhAYb1neqaVuvUDY5JPkDbiNrkwqs8Wf5ThHIm65jfa64Ki/rx8mVUDs315ir0I+oJuoqxnEJdTI97lKZA4YBn5QKDEhW5CJg3OF10yIYPARfCy65Gzp9y6VKbYxOTjhZBN3OxuyK4HAUYQi78Av9wKjAV3zV07ngNBlwIOwqIXejZiZlsJBhfdpx66pgGFVWJyzeXDzSBioKHwwnuXK8GvKTj3+yvUOnRlWi9x3jATLZtU3kim/vL4vx4XB8+cgbVFdyb/hiL0lpeRFHX0U13YDv0VlOzsgw8Tc0fcp0Gz1nG07yJP9BzXtXZH9lX1KhyKch4bq9r42Jxmn6SAVElW2TQB6P5MSuz6jR7K0RU8QXpkQJ9ahph/3cUdLDspmvGvkY/Yil57NsIRLKZ3qJczq7b3uxFW4f+otad+9eNzUY5cgcLXazs9UhEEHVxp8qAFuZGhgmQgFERLj3IayEzade/SAur19O/1B3SDltJu22j4osvRCFM8OtuCsfaXfJdFjKFQiOYqAvco9COwzvOtYYtTtcQCFgtRX6xqukvjj20qTvNQPRTq4/6ukwvEOvgRrU6y1AVcy5rtduE3giUn1dw90Ca4FN3th5IjWUCB1MICjB1fq3YwQm9AAWahLDW5EVGWPGsehZjffaKby9VHLb5+2NEj+Gq1qTjjiUhSVdkg3mzvkAW17d48y+RzZEJ6YuuiEdB67HAhNT7WNmDGZZYNAzgemviXWc0pdk3w9egm0Vt99H8E+2GkJt8Z9n9gnv0bpIbb6CirR6tJm6VbN/rOTg9QhQW8ZoSfY/FaXDf4Cz7oQ6venuZAr68bd/ssaJPacWwrY0FY+UbN4l1cHgWbsfXih6fGzk20jyStm8TjvYj+rIoq1KidH9oegcj6DKaZNPKrn9YHtJ9RtOztQeOizsGTwPCBh7UxN21a1Sz/wxdtImKg0ogXYooWx4wvbvFmcTtlBEpLJr/R9GwaxxtOktAbl88EEl9rsPB8+6heNhYkXk4t5DxjsABz0trnIg69yXVoh/FHd7QZMBbDkROFoNLcvaQTwLtwHLH4AXsICG0JL4MITG+jr0UngTRnwbeWfhUtR1aKy9dTM2EDs9X0lCP+nr8IByUyzJewj3UzSpGdfPyErQeAO2cpuW9O3tfvF5GgsY6SmlT+5W3jizn3kMPEB13XkpzQyKx3DdU0MqR6zzmxFz+BoLocu04n7b+2RqqTvruNf7kadnh8WcN//C1v6TBnJ57GGFxzsPqjm0940LqszT252bjCOHgfUauE0RNWJolklFHfZ47dZACsYyshYIYsN2+lkrSkI/foYHCSFGMiZbInROpdzu2aUmkqxOfqyCAgp1lDG+qg94jpqVdzZsTUINvDxVbTk+fnvHxjM/kMVazoDBdK2z30Pc09ZigwQ3+4w5vKSH6w5D3ap3TnqubKIaWksaTPiTYxVTZRoju1jYBOdmiQNoPfCN/dOCPoOj4rWZr1Xw0650g5ZHw0KkXRIKosS5zgY/RUUyeO3qYbw7ksKHcQI3+PsdSqmlsuKqR6wWumn2wlB4EiJWo72k2hZGgxYS53QgqMXARf7CQ+aN65iES9m0i45zqalyi3NyDfqqHrbTL+Wcln29fyfnjS9unQYFupnbbGYMdKjaT1dhN95K0W/t6A+kdrTXE77bc0+B29UzY2fh4WRrxyUvPpxPJ6f4POJ+9FHeI7p4SlikWHn3nfxWzmW1LwHLIugwUQmFN0u9gkEG2qWH/4gYEjTwi8iyfVxjUe+YotocfjNJTR2rXuiPeX9D6z4YCFi5cNMYcJBvwa0XNu1jN6a+ZcrFyD78+Qgy+bZASsD2hVsK2i1sQ4xx3aFxK0bFfrR4TX2vdulocaYjOZsu4Q9Xmu51eHVm/VZBC8IBKDkwT6+0wBhoCrfYhnsVKuaMRmh7k+YCfWXkB8QROmAtcS5FX3ZlRl/+v1fLzGG+DsLe0NZXss+DrLVikXu5GzK2WMkutuWj2VJzdyKSyIV+wnXEZk5H72imoChGAbd2Gug2t2uIAH3kwibgVOMorUavXFYsBPC85CQRjRP/Yx3dWnbx4YtX6ik+RG81XGDdr1auOrP4jvh8ihjx683kOufdZ7B/w6v2kk01Dmx0XAdqjardedU0tXWZOFrxer9CFxljLOxQvMj5z6CO9OjFbZt9zXMGjx+QztjRfAO8Sg+CsucxKZ7IvgewbGtb9Ngcs0vCeNNPN6FSTKE07SnrasWivIszEmKfd4sX9+l1pBTTD1GpvUPsSwrVo1EWk5e4spnh3uNAWXuj1RF8GmoDR6CQIeYpE9HxkiCdMHbjRalPyxAZi4ra21G5rh8cVi6ZEPIS7rfKNvrZGacq6tMZJA35/EaxOZtQrCO6a3YFI9VbuoWAj/CUl8dGBYXUF9re9QS175hW+/ZY4UrJTX/a+HvO/5RUSsXnyR7Q/hInugDt7WeBblRF2Kj63ntBRKp0c1iEjLUIBbkoEdcGJ0Pw+fEZZxD735NtMBVDntDLRbHwSPcHhLY+RAi4yEqz3orJgVuJjUfyKxLZaRm8Jb3dM/cQUq5TZ1fuOFm1y15f7RDCXAECIp9xkxX/C/B6QPDkfHXWUYJb6O7kgvONoreG6NiRf2Dh6LA3X2cNDuibwQy0cy94d77vwr3gGnW0vmOPxSQQQ3wmlkm5eLq3brm0ZNlr5JZOUur3FB4Lcu+y/5W8ihsOexgSbjrKyS20Vxt1dxyj2adJGl4XmLU2NvbdcBTdo0Tr7T/HVxa6MPORBCAefwlX4xPzWiLH1Ls6OWvpkC6vyhnDYq2408iuzMQUAV/y2Tolif3jIIjFAJ4xCXBfT4WOT0umag3YV0rMZYab5Cz558e7a30XKoMRHahC3Df8b9t9hKAU4X1Ljk/nYa8bZp0Ew9UYyAP9ZiTgwoCM+xRfHQezPm6lC8pHqieLLpQV5X5HaIyMmCGEFMCxkESunnWQqQsae+7oiV3w+5Dz8pVCLSh0y6FAnlnGZ6dYIuo+MTwv6VJSw9OaI1nJHNMe9guGM9wYMxX25HDH9JUItQIhtyyFIkFkiK/BrleAaEmqOrQvovkzmttGJ96TcvK5hGadJOq4lIq4ZYyyaEt5YQ6AxUOFVOggjyekGQgvINoFrE+z4o5odPHVv9NoBmLhiI8kATeCBAcG15RTn97v6Vd22MTw3LXnh/XmnxFOMiV/ghoM52ZtBk+QeWcr51aXtZOKkpNS9aFakJ32FD53dXikpa9zJMO8R7M8zFwJ0kMR7/T2NcUU6OmTbOIN48A67ppdjH6nt1lFCWCsbuJ1Dy5YlbRc7iSCLqi8/sQnjcdV2oiCpHDe5WvXH1xQN8QD7CKHJlKvwnGAyWV8Fwn06WtH2Ew+P0bZUUhi6LyTDSn1V20ANqaWbZZllSEZ5s0eHAmLraJDHoBmionShRBd/ttHk8RW8Vl5k3F233xS1lIYFZXiVNzyxQymVluwsuKvnR3Clfyn/+/QAPB4qYaZT0iYpamrYk1CA7Qlc9GfC8WAfuy1QAULTZ6LQ8ho
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1554811695",
"to_ids": true,
"type": "malware-sample",
"uuid": "5cac8b2f-8104-4053-bf07-2c32950d210f",
"value": "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579|455abb43295b9a69e355e4e43457bf30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1554811695",
"to_ids": false,
"type": "filename",
"uuid": "5cac8b2f-dcb0-4a2a-bfb1-2c32950d210f",
"value": "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554811695",
"to_ids": true,
"type": "md5",
"uuid": "5cac8b2f-36f4-4b44-a5d5-2c32950d210f",
"value": "455abb43295b9a69e355e4e43457bf30"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554811695",
"to_ids": true,
"type": "sha1",
"uuid": "5cac8b2f-d578-41fb-a566-2c32950d210f",
"value": "1e0fe0400e04440942a4a1a5bcd3bcd3150a2eea"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554811695",
"to_ids": true,
"type": "sha256",
"uuid": "5cac8b2f-b34c-4cda-ba12-2c32950d210f",
"value": "c1961e54d60e34bbec397c9120564e8d08f2f243ae349d2fb20f736510716579"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1554811695",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5cac8b2f-3080-4f59-b186-2c32950d210f",
"value": "72456"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "6",
"timestamp": "1554812105",
"uuid": "5cac8cc9-7984-4dfa-85f8-49af950d210f",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1554812105",
"to_ids": true,
"type": "ip-dst",
"uuid": "5cac8cc9-fcdc-4462-a4c6-4eb6950d210f",
"value": "211.24.237.226"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1554812105",
"to_ids": true,
"type": "domain",
"uuid": "5cac8cc9-4898-4cb8-85dc-47cd950d210f",
"value": "todaysfutbol.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "6",
"timestamp": "1554812353",
"uuid": "5cac8dc1-95dc-466e-85ce-4b0c950d210f",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1554812353",
"to_ids": true,
"type": "ip-dst",
"uuid": "5cac8dc1-57f4-4d91-831f-464d950d210f",
"value": "78.111.169.146"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1554812354",
"to_ids": true,
"type": "domain",
"uuid": "5cac8dc2-bad4-48d7-be3d-41b8950d210f",
"value": "mypremierfutbol.com"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "16",
"timestamp": "1554835991",
"uuid": "5cacea17-9ba0-4939-95e7-474c02de0b81",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1554835991",
"to_ids": false,
"type": "text",
"uuid": "5cacea17-502c-4be8-8c10-47e802de0b81",
"value": "We wondered about the deployment of these curious samples. All of the functionality pointed to\r\na command-and-control module meant to function alongside other components, and not as a\r\nstandalone piece. As we hunted, we came across an unpacked/unobfuscated sample of\r\nStuxnet presumably compiled in 2009 that contained Stuxshop in its entirety"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554835992",
"to_ids": true,
"type": "md5",
"uuid": "5cacea18-6008-4294-8dbd-420502de0b81",
"value": "360752e2f6938ae91ac8fb212c62c0c4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554835992",
"to_ids": true,
"type": "sha256",
"uuid": "5cacea18-0664-474f-997f-4b0a02de0b81",
"value": "f34c85bb4fcd87225468d0e8ee4441ebc92f42b3f69500d85e28be3c553ce433"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554835992",
"to_ids": true,
"type": "sha1",
"uuid": "5cacea18-5150-4e6e-9a46-4f2a02de0b81",
"value": "346de24b4081b0dbccd0f3458734b08258eed8a7"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1554835992",
"to_ids": false,
"type": "text",
"uuid": "5cacea18-9948-47d2-96e1-4ef802de0b81",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837250",
"uuid": "2868aeaa-a19a-4b36-b693-e55b1a32d633",
"ObjectReference": [
{
"comment": "",
"object_uuid": "2868aeaa-a19a-4b36-b693-e55b1a32d633",
"referenced_uuid": "95f4e9d8-aec9-4e52-b133-8688a3857540",
"relationship_type": "analysed-with",
"timestamp": "1554837251",
"uuid": "5cacef03-a574-487a-9e9d-497e02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836138",
"to_ids": true,
"type": "md5",
"uuid": "9beba910-a940-4d34-9c6e-4d35e6cd20bf",
"value": "fa1e5eec39910a34ede1c4351ccecec8"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha1",
"uuid": "035bc1cc-a2fe-469a-ba28-e0daa8ef89d7",
"value": "ca3c5872080ec86a041b2b887caec9f28ba7b884"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "043ae229-5646-40f6-a62d-fb0a35a1f8a0",
"value": "c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837250",
"uuid": "95f4e9d8-aec9-4e52-b133-8688a3857540",
"Attribute": [
{
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836138",
"to_ids": false,
"type": "datetime",
"uuid": "b0d502dd-ff60-4d76-a5a3-7ffd57be3fe0",
"value": "2019-04-09T14:27:10"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836138",
"to_ids": false,
"type": "link",
"uuid": "6094c770-b3db-4eff-9f59-3e51787a615a",
"value": "https://www.virustotal.com/file/c074aeef97ce81e8c68b7376b124546cabf40e2cd3aff1719d9daa6c3f780532/analysis/1554820030/"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836138",
"to_ids": false,
"type": "text",
"uuid": "eb3ecbbe-9ed5-487c-9321-967a75105a4d",
"value": "45/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837250",
"uuid": "d7f8c044-89dc-411c-a777-6110c35e1185",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d7f8c044-89dc-411c-a777-6110c35e1185",
"referenced_uuid": "73ebef95-1302-4712-b237-7aba3002f249",
"relationship_type": "analysed-with",
"timestamp": "1554837251",
"uuid": "5cacef03-ff14-4827-8aea-4b4602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836138",
"to_ids": true,
"type": "md5",
"uuid": "907050eb-7a46-4087-8caf-55022cafe5a0",
"value": "984c7734a61f5b0c22291a4e26b224be"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha1",
"uuid": "a6a45c02-014c-424a-acc8-6f7d09c4db09",
"value": "2a1cc9c615cc2a798cf491a81e52ca050d4e828b"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "a81d78fa-107d-4283-b32d-a7c27379a305",
"value": "683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837250",
"uuid": "73ebef95-1302-4712-b237-7aba3002f249",
"Attribute": [
{
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836138",
"to_ids": false,
"type": "datetime",
"uuid": "ad8d9850-f381-49c6-b650-62a57c8bf3b6",
"value": "2019-04-09T17:37:54"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836138",
"to_ids": false,
"type": "link",
"uuid": "1a976776-aafe-414e-bcf5-acd3caf060cf",
"value": "https://www.virustotal.com/file/683ce2c7c80b180768fe4d2a39030dc7c4f67db79d1953ee4803522131f533a3/analysis/1554831474/"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836138",
"to_ids": false,
"type": "text",
"uuid": "bcf66b81-63ce-495d-aee2-1dffdf10aae4",
"value": "27/65"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837250",
"uuid": "308606ca-729c-4050-8d8e-72f00f17a981",
"ObjectReference": [
{
"comment": "",
"object_uuid": "308606ca-729c-4050-8d8e-72f00f17a981",
"referenced_uuid": "7403084a-f132-4ff9-a53b-6342ed8032ee",
"relationship_type": "analysed-with",
"timestamp": "1554837251",
"uuid": "5cacef03-5470-4ce7-95f0-412002de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836138",
"to_ids": true,
"type": "md5",
"uuid": "01116b16-d4eb-47d2-b0eb-e3aa6f28f137",
"value": "4e0a3498438adda8c50c3e101cfa86c5"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha1",
"uuid": "9c087088-0b17-4653-b4f0-10d86ebbcc08",
"value": "0655670f1cb40e84ba12adb9711f001269712054"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "376dbb9c-5d09-4af9-8549-35fa62c4c2c4",
"value": "ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837250",
"uuid": "7403084a-f132-4ff9-a53b-6342ed8032ee",
"Attribute": [
{
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836138",
"to_ids": false,
"type": "datetime",
"uuid": "7176c395-37ca-4d30-941c-0b19c00a2996",
"value": "2019-04-09T14:27:24"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836138",
"to_ids": false,
"type": "link",
"uuid": "958ba48c-fd6d-489d-8c11-2f6bc6f79191",
"value": "https://www.virustotal.com/file/ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300/analysis/1554820044/"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836138",
"to_ids": false,
"type": "text",
"uuid": "c149c768-5027-4e7e-a5d6-8ebac9b6bb3c",
"value": "45/69"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837250",
"uuid": "dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "dbbdfe4d-13dc-4fc2-b189-0582aec45f8f",
"referenced_uuid": "67191d81-2968-4471-b804-e92b25166e28",
"relationship_type": "analysed-with",
"timestamp": "1554837252",
"uuid": "5cacef04-2af0-491f-9fbf-461d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836138",
"to_ids": true,
"type": "md5",
"uuid": "5b7caac9-41a6-4cce-b757-53c583384d19",
"value": "3ba57784d7fd4302fe74beb648b28dc1"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha1",
"uuid": "4e7d67eb-0fa1-4b98-90db-cbad6936f4dc",
"value": "648a62d74ab1076e66a7a70f0899b8093eca2b01"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "09a52190-3be6-408c-8ef4-bb41f517162b",
"value": "32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837250",
"uuid": "67191d81-2968-4471-b804-e92b25166e28",
"Attribute": [
{
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836138",
"to_ids": false,
"type": "datetime",
"uuid": "0052a797-5299-43f8-bb60-fc6f0e5b8827",
"value": "2019-04-09T14:25:43"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836138",
"to_ids": false,
"type": "link",
"uuid": "fafdb38f-5748-48f9-8873-6c6086237764",
"value": "https://www.virustotal.com/file/32159d2a16397823bc882ddd3cd77ecdbabe0fde934e62f297b8ff4d7b89832a/analysis/1554819943/"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836138",
"to_ids": false,
"type": "text",
"uuid": "5d48d630-34cc-4288-aabf-4186fcaede15",
"value": "44/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837251",
"uuid": "de4d97dc-5512-4f11-b590-7f56e1877cdc",
"ObjectReference": [
{
"comment": "",
"object_uuid": "de4d97dc-5512-4f11-b590-7f56e1877cdc",
"referenced_uuid": "555db026-ee1b-4775-91f4-a1b52245a78c",
"relationship_type": "analysed-with",
"timestamp": "1554837252",
"uuid": "5cacef04-1250-49d3-9393-467602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836031",
"to_ids": true,
"type": "md5",
"uuid": "3a6074d4-c548-430d-8409-23e79021d6f3",
"value": "300d2a3f47803c2814a45382d84d3446"
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836031",
"to_ids": true,
"type": "sha1",
"uuid": "c2689a2e-5974-4da6-9081-32a680a72d9e",
"value": "ec5dd52971f550a77c3544819c56674378976509"
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836031",
"to_ids": true,
"type": "sha256",
"uuid": "0191d239-123a-42c8-b677-aa3ec5a0befb",
"value": "1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837251",
"uuid": "555db026-ee1b-4775-91f4-a1b52245a78c",
"Attribute": [
{
"category": "Other",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836031",
"to_ids": false,
"type": "datetime",
"uuid": "54971c2b-ffc5-4568-a9dc-9ba3ec8e95e3",
"value": "2019-04-09T17:37:53"
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836031",
"to_ids": false,
"type": "link",
"uuid": "ae87b543-4eaf-4790-847a-9e81e2576099",
"value": "https://www.virustotal.com/file/1daa2b15b70e486927c8fc06eed434080ab408a1b320be9fefe193c20d1d9a7f/analysis/1554831473/"
},
{
"category": "Payload delivery",
"comment": "Stuxshop Modules",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836031",
"to_ids": false,
"type": "text",
"uuid": "e44ee586-67fa-4411-a3d4-329acf59622b",
"value": "43/68"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837251",
"uuid": "6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6b9bfb62-ea86-4bb9-9d1e-7aa8ed2150eb",
"referenced_uuid": "ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"relationship_type": "analysed-with",
"timestamp": "1554837252",
"uuid": "5cacef04-928c-40e9-81f4-4cad02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836138",
"to_ids": true,
"type": "md5",
"uuid": "ee80b3fa-b119-4b7e-925e-1410644f07b4",
"value": "7b0e7297d5157586f4075098be9efc8c"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha1",
"uuid": "daa56fb7-63bf-4ec4-82e1-d0abbc75dd8c",
"value": "421156c4858878ef8beeadf54c4549095445b682"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836138",
"to_ids": true,
"type": "sha256",
"uuid": "302c475f-5275-430f-91ec-3934d64e5c80",
"value": "63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837251",
"uuid": "ddaf5a99-1963-4a4a-93eb-0b69396bbb46",
"Attribute": [
{
"category": "Other",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836138",
"to_ids": false,
"type": "datetime",
"uuid": "46da9467-63b7-4c06-9c57-d83d362007b6",
"value": "2019-04-09T14:20:50"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836138",
"to_ids": false,
"type": "link",
"uuid": "2de83530-15bd-4536-a3d9-51752d3a52fd",
"value": "https://www.virustotal.com/file/63735d555f219765d486b3d253e39bd316bbcb1c0ec595ea45ddf6e419bef3cb/analysis/1554819650/"
},
{
"category": "Payload delivery",
"comment": "Flowershop samples with relevant code overlap",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836138",
"to_ids": false,
"type": "text",
"uuid": "ffca2167-370b-44d8-8eb2-7bfbd7118538",
"value": "45/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837251",
"uuid": "6edd0812-8c25-4923-8e60-1872a7a81a1c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "6edd0812-8c25-4923-8e60-1872a7a81a1c",
"referenced_uuid": "b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"relationship_type": "analysed-with",
"timestamp": "1554837252",
"uuid": "5cacef04-cd20-4b52-b814-4c3c02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836078",
"to_ids": true,
"type": "md5",
"uuid": "927c49e1-7114-47ca-8721-2286ac0d45be",
"value": "79c02836b6b6939ecea43691278424e8"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836078",
"to_ids": true,
"type": "sha1",
"uuid": "e716e83e-72e5-412f-ab92-e8d5edf7701f",
"value": "62e021e7ce7e6c382820b5a083221732ef5649b9"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836078",
"to_ids": true,
"type": "sha256",
"uuid": "3976d727-eddc-4330-ac2e-66100a1673d7",
"value": "a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837251",
"uuid": "b7b2cc69-43cb-4213-9dfd-d7b5043a819d",
"Attribute": [
{
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836078",
"to_ids": false,
"type": "datetime",
"uuid": "be7cd761-b99d-441d-8fe3-98c0fe63ff8a",
"value": "2019-04-09T17:37:55"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836078",
"to_ids": false,
"type": "link",
"uuid": "9a5f1b2c-0306-4d7f-8ad9-d8d57a895f7b",
"value": "https://www.virustotal.com/file/a01845255bdc61b610cac269a5562ad09415aaf2a1490d53d55c4c3597670803/analysis/1554831475/"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836078",
"to_ids": false,
"type": "text",
"uuid": "01cbe4d0-780b-4530-9812-d999bc1938d2",
"value": "44/64"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1554837251",
"uuid": "421a889c-305d-4fee-a7c9-6b0114a2beb9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "421a889c-305d-4fee-a7c9-6b0114a2beb9",
"referenced_uuid": "596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"relationship_type": "analysed-with",
"timestamp": "1554837252",
"uuid": "5cacef04-e128-45dc-92fb-41ea02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1554836078",
"to_ids": true,
"type": "md5",
"uuid": "3daa0486-371a-41e5-a1b1-58385d5f7d80",
"value": "6df1c77d4aabc3e3d91fcfdba8e7986d"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1554836078",
"to_ids": true,
"type": "sha1",
"uuid": "385662da-b2a2-47f3-81d9-e65265e2e705",
"value": "39b106c2405c3b5d65ddbb17571fc53b26893e9a"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1554836078",
"to_ids": true,
"type": "sha256",
"uuid": "da333d03-1d8a-468f-82fd-86623723d4cb",
"value": "77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1554837251",
"uuid": "596ec4c3-ec57-4be1-8edf-777fb2b48aa0",
"Attribute": [
{
"category": "Other",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1554836078",
"to_ids": false,
"type": "datetime",
"uuid": "ea99549b-5bd3-47dd-aa68-bda0ce2c3b42",
"value": "2019-04-09T17:37:55"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1554836078",
"to_ids": false,
"type": "link",
"uuid": "e50ac7c2-3672-445d-92bb-bc78d3742ba2",
"value": "https://www.virustotal.com/file/77211838bb6783121fe1aeff182c8cc1cba9c9f0c1e5a0027e0c0b9dfa18e2ac/analysis/1554831475/"
},
{
"category": "Payload delivery",
"comment": "Stuxnet Installers with Resource 231",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1554836078",
"to_ids": false,
"type": "text",
"uuid": "a6e18bf7-3d93-4c64-9b6d-021a3b2c3542",
"value": "53/70"
}
]
},
{
"comment": "The control server response is decoded using the same 31-byte XOR encoding, with yet another\r\nkey",
"deleted": false,
"description": "Malware configuration recovered or extracted from a malicious binary.",
"meta-category": "file",
"name": "malware-config",
"template_uuid": "8200b79b-1d8c-49a8-9a63-7710e613c059",
"template_version": "1",
"timestamp": "1554837539",
"uuid": "5cacf023-7368-4a33-a5a4-4e8502de0b81",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "password",
"timestamp": "1554837539",
"to_ids": false,
"type": "text",
"uuid": "5cacf023-5f50-43d4-a585-44cc02de0b81",
"value": "F117FA1CE233C1D7BB7726C0E49615C4622E2D1895F0D8AD4B23BADC4FD70C"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "config",
"timestamp": "1554837539",
"to_ids": false,
"type": "text",
"uuid": "5cacf023-fdf0-45af-9095-431502de0b81",
"value": "not included"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "format",
"timestamp": "1554837539",
"to_ids": false,
"type": "text",
"uuid": "5cacf023-a61c-4c80-9eff-40e202de0b81",
"value": "other"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"name": "registry-key",
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"template_version": "4",
"timestamp": "1554837719",
"uuid": "5cacf0d7-870c-4b90-a5bb-4c1c02de0b81",
"Attribute": [
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "key",
"timestamp": "1554837719",
"to_ids": true,
"type": "regkey",
"uuid": "5cacf0d7-228c-4398-9968-4d0e02de0b81",
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\MS-DOS Emulation"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "name",
"timestamp": "1554837719",
"to_ids": false,
"type": "text",
"uuid": "5cacf0d7-1f3c-4f9f-be33-424402de0b81",
"value": "NTVDM \u00e2\u20ac\u2039 TRACE"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "data",
"timestamp": "1554837719",
"to_ids": false,
"type": "text",
"uuid": "5cacf0d7-7a98-4cf3-805b-464002de0b81",
"value": "19790509"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "root-keys",
"timestamp": "1554837719",
"to_ids": false,
"type": "text",
"uuid": "5cacf0d7-3318-41fe-b455-499102de0b81",
"value": "HKCC"
},
{
"category": "Persistence mechanism",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "data-type",
"timestamp": "1554837719",
"to_ids": false,
"type": "text",
"uuid": "5cacf0d7-e348-4d55-8d64-409802de0b81",
"value": "REG_NONE"
}
]
}
]
}
}
Reference in a new issue Copy permalink