2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-12-14 14:30:15 +00:00
|
|
|
"Event": {
|
|
|
|
"analysis": "0",
|
|
|
|
"date": "2018-11-27",
|
|
|
|
"extends_uuid": "5c065ec5-6ab0-4cc1-a032-bf18950d210f",
|
|
|
|
"info": "MAR-10164494.r1.v1 (SamSam ransomware)",
|
|
|
|
"publish_timestamp": "1544005136",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "3",
|
|
|
|
"timestamp": "1544005129",
|
|
|
|
"uuid": "5c066053-0e94-46eb-9746-4b7d950d210f",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "CIRCL",
|
|
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
|
|
|
"local": "0",
|
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
|
|
|
"local": "0",
|
|
|
|
"name": "misp-galaxy:malpedia=\"SamSam\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#0088cc",
|
|
|
|
"local": "0",
|
|
|
|
"name": "misp-galaxy:ransomware=\"Samas-Samsam\"",
|
|
|
|
"relationship_type": ""
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Object": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing the original file used to import data in MISP.",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "original-imported-file",
|
|
|
|
"template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921747",
|
|
|
|
"uuid": "9b90b222-5a6e-4a68-8980-c85eb5e4e079",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"data": "PHN0aXg6U1RJWF9QYWNrYWdlIHhtbG5zOmN5Ym94Q29tbW9uPSJodHRwOi8vY3lib3gubWl0cmUub3JnL2NvbW1vbi0yIiB4bWxuczpjeWJveD0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jeWJveC0yIiB4bWxuczpjeWJveFZvY2Ficz0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0yIiB4bWxuczpGaWxlT2JqPSJodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjRmlsZU9iamVjdC0yIiB4bWxuczpXaW5FeGVjdXRhYmxlRmlsZU9iaj0iaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9vYmplY3RzI1dpbkV4ZWN1dGFibGVGaWxlT2JqZWN0LTIiIHhtbG5zOldpbkZpbGVPYmo9Imh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNXaW5GaWxlT2JqZWN0LTIiIHhtbG5zOm1hcmtpbmc9Imh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL01hcmtpbmctMSIgeG1sbnM6dGxwTWFya2luZz0iaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1RMUC0xIiB4bWxuczpUT1VNYXJraW5nPSJodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9leHRlbnNpb25zL01hcmtpbmdTdHJ1Y3R1cmUjVGVybXNfT2ZfVXNlLTEiIHhtbG5zOm1hZWNCdW5kbGU9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1idW5kbGUtNCIgeG1sbnM6bWFlY1BhY2thZ2U9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1wYWNrYWdlLTIiIHhtbG5zOm1hZWNWb2NhYnM9Imh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0xIiB4bWxuczppbmNpZGVudD0iaHR0cDovL3N0aXgubWl0cmUub3JnL0luY2lkZW50LTEiIHhtbG5zOmluZGljYXRvcj0iaHR0cDovL3N0aXgubWl0cmUub3JnL0luZGljYXRvci0yIiB4bWxuczp0dHA9Imh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9UVFAtMSIgeG1sbnM6c3RpeENvbW1vbj0iaHR0cDovL3N0aXgubWl0cmUub3JnL2NvbW1vbi0xIiB4bWxuczpzdGl4Vm9jYWJzPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSIgeG1sbnM6c3RpeC1tYWVjPSJodHRwOi8vc3RpeC5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYWx3YXJlI01BRUM0LjEtMSIgeG1sbnM6c3RpeD0iaHR0cDovL3N0aXgubWl0cmUub3JnL3N0aXgtMSIgeG1sbnM6TkNDSUM9Imh0dHA6Ly93d3cudXMtY2VydC5nb3YvIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6c2NoZW1hTG9jYXRpb249IiAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9jb21tb24tMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb21tb24vMi4xL2N5Ym94X2NvbW1vbi54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvY3lib3gtMiBodHRwOi8vY3lib3gubWl0cmUub3JnL1hNTFNjaGVtYS9jb3JlLzIuMS9jeWJveF9jb3JlLnhzZCAgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9kZWZhdWx0X3ZvY2FidWxhcmllcy0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL2RlZmF1bHRfdm9jYWJ1bGFyaWVzLzIuMS9jeWJveF9kZWZhdWx0X3ZvY2FidWxhcmllcy54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNGaWxlT2JqZWN0LTIgaHR0cDovL2N5Ym94Lm1pdHJlLm9yZy9YTUxTY2hlbWEvb2JqZWN0cy9GaWxlLzIuMS9GaWxlX09iamVjdC54c2QgIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvb2JqZWN0cyNXaW5FeGVjdXRhYmxlRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvV2luX0V4ZWN1dGFibGVfRmlsZS8yLjEvV2luX0V4ZWN1dGFibGVfRmlsZV9PYmplY3QueHNkICBodHRwOi8vY3lib3gubWl0cmUub3JnL29iamVjdHMjV2luRmlsZU9iamVjdC0yIGh0dHA6Ly9jeWJveC5taXRyZS5vcmcvWE1MU2NoZW1hL29iamVjdHMvV2luX0ZpbGUvMi4xL1dpbl9GaWxlX09iamVjdC54c2QgIGh0dHA6Ly9kYXRhLW1hcmtpbmcubWl0cmUub3JnL01hcmtpbmctMSBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2RhdGFfbWFya2luZy8xLjEuMS9kYXRhX21hcmtpbmcueHNkICBodHRwOi8vZGF0YS1tYXJraW5nLm1pdHJlLm9yZy9leHRlbnNpb25zL01hcmtpbmdTdHJ1Y3R1cmUjVExQLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9leHRlbnNpb25zL21hcmtpbmcvdGxwLzEuMS4xL3RscF9tYXJraW5nLnhzZCAgaHR0cDovL2RhdGEtbWFya2luZy5taXRyZS5vcmcvZXh0ZW5zaW9ucy9NYXJraW5nU3RydWN0dXJlI1Rlcm1zX09mX1VzZS0xIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9YTUxTY2hlbWEvZXh0ZW5zaW9ucy9tYXJraW5nL3Rlcm1zX29mX3VzZS8xLjAuMS90ZXJtc19vZl91c2VfbWFya2luZy54c2QgIGh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9YTUxTY2hlbWEvbWFlYy1idW5kbGUtNCBodHRwOi8vbWFlYy5taXRyZS5vcmcvbGFuZ3VhZ2UvdmVyc2lvbjQuMS9tYWVjX2J1bmRsZV9zY2hlbWEueHNkICBodHRwOi8vbWFlYy5taXRyZS5vcmcvWE1MU2NoZW1hL21hZWMtcGFja2FnZS0yIGh0dHA6Ly9tYWVjLm1pdHJlLm9yZy9sYW5ndWFnZS92ZXJzaW9uNC4xL21hZWNfcGFja2FnZV9zY2hlbWEueHNkICBodHRwOi8vbWFlYy5taXRyZS5vcmcvZGVmYXVsdF92b2NhYnVsYXJpZXMtMSBodHRwOi8vbWFlYy5taXRyZS5vcmcvbGFuZ3VhZ2UvdmVyc2lvbjQuMS9tYWVjX2RlZmF1bHRfdm9jYWJ1bGFyaWVzLnhzZCAgaHR0cDovL3N0aXgubWl0cmUub3JnL0luY2lkZW50LTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS9pbmNpZGVudC8xLjEuMS9pbmNpZGVudC54c2QgIGh0dHA6Ly9zdGl4Lm1pdHJlLm9yZy9JbmRpY2F0b3ItMiBodHRwOi8vc3RpeC5taXRyZS5vcmcvWE1MU2NoZW1hL2luZGljYXRvci8yLjEuMS9pbmRpY2F0b3IueHNkICBodHRwOi8vc3RpeC5taXRyZS5vcmcvVFRQLTEgaHR0cDovL3N0aXgubWl0cmUub3JnL1hNTFNjaGVtYS90dHAvMS4xLjEvdHRwLnhzZCAgaHR0cDovL3N0aXgubW
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "imported-sample",
|
|
|
|
"timestamp": "1543921748",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "attachment",
|
|
|
|
"uuid": "dc91e612-5d87-475c-aa4d-7e1f490cb62d",
|
|
|
|
"value": "MAR-10164494.r1.v1.stix.xml"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "format",
|
|
|
|
"timestamp": "1543921748",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "82d92392-8ee1-4db9-857c-89cb1cf93a54",
|
|
|
|
"value": "STIX 1.1.1"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921748",
|
|
|
|
"uuid": "7f58ce95-cc60-466d-b405-d47226c5f0bf",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921748",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "44b093a2-d15c-44b5-b76e-83500aa2f718",
|
|
|
|
"value": "76bd79f774ae892fd6a30b6463050a91"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921749",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "b58f054c-98d9-4c03-8f9f-7c4dc1372862",
|
|
|
|
"value": "4d7a60bd1fb3677a553f26d95430c107c8485129"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921749",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "a5274885-a3c6-40bc-92dd-258429767e47",
|
|
|
|
"value": "9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921750",
|
|
|
|
"uuid": "bd1dbb31-d316-4911-b2cb-4e71d16d1dbb",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921750",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "a54d44f7-d2cc-4117-bdfe-d098ea589243",
|
|
|
|
"value": "b96620d8a08fa436ea22ef480dd883ce"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921750",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "21562b9a-60fd-4a5e-ae86-d0aa491fbeb9",
|
|
|
|
"value": "a1ab74d2f06a542e77ea2c6d641aae4ed163a2da"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921751",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "4902e608-ce21-4615-aa2b-a8e85ef114ca",
|
|
|
|
"value": "738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921751",
|
|
|
|
"uuid": "a7364364-e48d-4a7c-b3bd-ece622f7f31e",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921751",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "03916da4-5f9f-442a-98e1-c7783dcd2748",
|
|
|
|
"value": "02c19bbf8e19bb69fc7870ec872d355e"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921752",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "825df6c8-e826-4b69-a0e3-881b6ab1f993",
|
|
|
|
"value": "cc76586ef94122329e825c78aad2ecb9ac064343"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921752",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "f2b8d31e-236b-4517-9a7a-1d8aa643925c",
|
|
|
|
"value": "bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"uuid": "855cd93b-6e6c-4827-9cfa-479873ce217a",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "faaecaa5-c3d4-4437-b4d0-77a0f471c147",
|
|
|
|
"value": "2.54792"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "975863e8-6eac-4f53-9857-30ce88281312",
|
|
|
|
"value": "34943f18fd2a99cc3f5cabe43b4765f8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "fbd9f037-6344-455d-aa3a-a1c827c2cb91",
|
|
|
|
"value": "512"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"uuid": "b1432908-95e3-47e7-8ae3-ee66ea5ff4f8",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921753",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "2534ce8b-44fc-4021-a4f7-36bce8a11484",
|
|
|
|
"value": "06219fe6e30e15dce12688ca2b434890"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "814011e2-3808-4228-a2d2-49db8e211c59",
|
|
|
|
"value": "4.85667"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "e574c16b-d9a0-442a-b61b-67631517cc75",
|
|
|
|
"value": ".text"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "b996c7bf-9c1f-47d9-9798-cee99cd331a3",
|
|
|
|
"value": "3072"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"uuid": "d0951bc8-2196-4ad1-94bf-191486da007a",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "81809d10-f2c2-4db2-9434-f02ee1062389",
|
|
|
|
"value": "11b58fc9ac45168b871cc50399b7c86c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "6410600b-0dc3-48de-a5de-3894cb33d76b",
|
|
|
|
"value": "2.888335"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "6de6fcae-866a-42ec-a084-e824075d8f31",
|
|
|
|
"value": ".rsrc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "d606f2f8-d8e4-4591-9681-237e5324c42a",
|
|
|
|
"value": "1024"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"uuid": "46929908-aa81-4a2e-922d-0888eef9c399",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921754",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "4bbd64ab-476e-47a1-9e48-70c23aa90b39",
|
|
|
|
"value": "ec45a535f38fb6dc4ac4ed7cbf63b754"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "1fa3c44f-75b9-4330-9d55-5eeac9047851",
|
|
|
|
"value": "0.081539"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "b8aac6e6-7e01-4af7-9063-a93ff88b2f5b",
|
|
|
|
"value": ".reloc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "d1b2d7c2-d9c0-4d80-b591-e71de543928f",
|
|
|
|
"value": "512"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe",
|
|
|
|
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"referenced_uuid": "855cd93b-6e6c-4827-9cfa-479873ce217a",
|
|
|
|
"relationship_type": "header-of",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-b00c-4fe6-997b-4478950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"referenced_uuid": "b1432908-95e3-47e7-8ae3-ee66ea5ff4f8",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-f734-4102-8497-4824950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"referenced_uuid": "d0951bc8-2196-4ad1-94bf-191486da007a",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-eb98-485e-aa9e-4eca950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"referenced_uuid": "46929908-aa81-4a2e-922d-0888eef9c399",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-9880-4d24-82fa-48a0950d210f"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "internal-filename",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "a56299e1-f7aa-4414-a4d8-0a321bd2bcb4",
|
|
|
|
"value": "ClassLibrary1.dll"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "original-filename",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "52e69a5a-8f8c-45e8-a58b-40ca2c28206f",
|
|
|
|
"value": "ClassLibrary1.dll"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "number-sections",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "counter",
|
|
|
|
"uuid": "bb0b6f6a-fcf1-4dd5-956d-78497ad83d95",
|
|
|
|
"value": "4"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"uuid": "eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "eaf7e1bc-5f82-425b-91b0-c16bb3cf7913",
|
|
|
|
"referenced_uuid": "5afacb97-2453-4507-84cf-2e4c5d9c3fa4",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-6890-4af1-9854-4d61950d210f"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "34d5396c-21d6-4967-93b8-719906477480",
|
|
|
|
"value": "76bd79f774ae892fd6a30b6463050a91"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921755",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "15654d0a-a355-451a-b482-7296b6b4d734",
|
|
|
|
"value": "4d7a60bd1fb3677a553f26d95430c107c8485129"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921756",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "91169b8c-5966-42d4-929c-f07308f6a2d1",
|
|
|
|
"value": "9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha512",
|
|
|
|
"timestamp": "1543921756",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha512",
|
|
|
|
"uuid": "269a789f-8bac-4e0a-8f1e-c99fe9afbdb6",
|
|
|
|
"value": "67e0046db0b565a1ac1862bbd536016c3ea984f8fceadaa31b4c99e7a8b434b170d5badbb10c2c25e264b17bbf2f97576f252e7ef74279b3b845b1553cef9829"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "ssdeep",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "ssdeep",
|
|
|
|
"uuid": "5b7065ce-59e3-4681-b3ae-7ad1ed2f1bcb",
|
|
|
|
"value": "48:6DhamfhRd4tvDo4Xbgj/aarU3LT88VMM8UX8i02+KfANbU7gjBRd1trWO8lGO+3L:m+5DoAbgfU88Spi0oANbsgjMPYp3XII"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "2d12f4b2-82b7-4f8f-be16-aca15d66336a",
|
|
|
|
"value": "ClassLibrary1.dll"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "mimetype",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "mime-type",
|
|
|
|
"uuid": "64581c76-5506-4b33-a5ef-ef4fc6990f9c",
|
|
|
|
"value": "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "4a854987-43e7-4518-bcad-82c344c2706a",
|
|
|
|
"value": "4.004964"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "ff97ee13-ae78-4494-9e32-abb29372252b",
|
|
|
|
"value": "5120"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"uuid": "65e8a61f-cd5e-46b3-8e43-f6ee835fb3ec",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "c5911227-4c80-4705-bd3b-67f3d1aaa83f",
|
|
|
|
"value": "2.538579"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921757",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "ad11b1f4-d965-4ef2-b1bc-96c42475805f",
|
|
|
|
"value": "7f1dc4bd716bc037dea251c4dff12cdd"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "e0326762-3601-4967-8d7f-f2365dc3f7a2",
|
|
|
|
"value": "512"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"uuid": "39cb5a66-0f5f-4e01-a711-6cd8e9f09843",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "406d93ff-2c26-426f-870b-d3d8992ea4d1",
|
|
|
|
"value": "c8076584486a2745281e4945da9b8b13"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "ae1e0206-92ae-4dc1-93a6-9d51d9472ccd",
|
|
|
|
"value": "4.946272"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "01404fa1-ba6f-4563-bc08-14152d211892",
|
|
|
|
"value": ".text"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "05362ad8-db47-410a-9224-ede9e9f8848c",
|
|
|
|
"value": "3072"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"uuid": "1f222148-e8da-40d6-9f6c-6972afbaf41d",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921758",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "3f0fa297-a812-449f-87d7-ef05305e47f8",
|
|
|
|
"value": "1efe88aa4756d059ec1d3b49e342de5d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "6c5b147b-6a38-4d37-9268-7b7cd55f66bc",
|
|
|
|
"value": "3.917395"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "4f2e09db-03f3-4b74-8d54-a71c90aa96ac",
|
|
|
|
"value": ".rsrc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "ea0281d0-cc3b-4aef-a90a-12b4b6e67942",
|
|
|
|
"value": "2048"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a section of a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe-section",
|
|
|
|
"template_uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
|
|
|
|
"template_version": "2",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"uuid": "8b5d0a9d-268b-42fa-8d68-a4df4450d56e",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "484bf645-2a7e-4663-b740-117f1528e0d5",
|
|
|
|
"value": "7048daac38c935b38e086adcd8035d2a"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "e26f47c7-57ba-4fcb-aa9c-acbd5db5beb8",
|
|
|
|
"value": "0.081539"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "name",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "ff47d3a8-a634-403a-b35b-9d2743afaced",
|
|
|
|
"value": ".reloc"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "01ce6561-f841-4a07-a3ef-eb64593ae9bc",
|
|
|
|
"value": "512"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "Object describing a Portable Executable",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "pe",
|
|
|
|
"template_uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
|
|
|
|
"template_version": "3",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"referenced_uuid": "65e8a61f-cd5e-46b3-8e43-f6ee835fb3ec",
|
|
|
|
"relationship_type": "header-of",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"uuid": "5c066064-850c-4bec-a7a0-42a0950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"referenced_uuid": "39cb5a66-0f5f-4e01-a711-6cd8e9f09843",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921765",
|
|
|
|
"uuid": "5c066065-2770-4baf-a6af-405f950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"referenced_uuid": "1f222148-e8da-40d6-9f6c-6972afbaf41d",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921765",
|
|
|
|
"uuid": "5c066065-6abc-43d0-b952-4233950d210f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"referenced_uuid": "8b5d0a9d-268b-42fa-8d68-a4df4450d56e",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921765",
|
|
|
|
"uuid": "5c066065-0868-4b7c-9683-4b25950d210f"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "internal-filename",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "e932385e-5696-4df3-9373-25c794b128cd",
|
|
|
|
"value": "mswinupdate.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "original-filename",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "f01d815e-41a3-4950-9786-1c6b9aea2057",
|
|
|
|
"value": "mswinupdate.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "number-sections",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "counter",
|
|
|
|
"uuid": "0afd8ad6-3501-4ae1-8372-760a7b4f2975",
|
|
|
|
"value": "4"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"uuid": "2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"ObjectReference": [
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"object_uuid": "2d2d53cf-43da-42fa-81c2-e10aec13b33a",
|
|
|
|
"referenced_uuid": "5dd2cbdd-b576-4e07-970f-dc3c40164068",
|
|
|
|
"relationship_type": "included-in",
|
|
|
|
"timestamp": "1543921765",
|
|
|
|
"uuid": "5c066065-1d9c-4524-ad25-406d950d210f"
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921759",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "a71bbf57-504f-44ff-8d65-fba9ed2732a1",
|
|
|
|
"value": "b96620d8a08fa436ea22ef480dd883ce"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921760",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "60db42a9-c6f8-4c88-93f1-2b19fe1d55cb",
|
|
|
|
"value": "a1ab74d2f06a542e77ea2c6d641aae4ed163a2da"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921760",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "38fcacf2-a903-4977-bafc-a2996b0a481f",
|
|
|
|
"value": "738c95f5bfe63a530b200a0d73f363d46c5671c1fcbb69c217e15a3516501a86"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha512",
|
|
|
|
"timestamp": "1543921761",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha512",
|
|
|
|
"uuid": "9eed5a45-8184-4380-a7db-4053b2a29a44",
|
|
|
|
"value": "2a9f4ebb025c8e7b4e074d301477656ffad66318da5ea35ddc8363c17f4bdbf501778539133261adbb9f441066a1e2b79240306ad1877f5ef17009c8f05ff4a6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "ssdeep",
|
|
|
|
"timestamp": "1543921761",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "ssdeep",
|
|
|
|
"uuid": "5b7b8028-7041-4837-9f57-0c16987931ef",
|
|
|
|
"value": "48:6ZMMEikGAgS7zfMFmZUX7OLbqMMou6ZVqsPIUlf41cjGPRMfNFrbvZiJY527qnfF:/ikGAgS7b0807M+And6c6mBiJYPezNt"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "1fd7a8d2-1563-4ddd-9c1e-0c000a785feb",
|
|
|
|
"value": "mswinupdate.exe"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "mimetype",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "mime-type",
|
|
|
|
"uuid": "31e0407b-393d-4365-8116-6ee430ef6a6a",
|
|
|
|
"value": "PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "3bf70ff1-6da3-450b-9012-9e8350d849dc",
|
|
|
|
"value": "4.238961"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "5e36d5a4-9de7-4e84-b682-ba720d96ed2a",
|
|
|
|
"value": "6144"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"description": "File object describing a file with meta-information",
|
|
|
|
"meta-category": "file",
|
|
|
|
"name": "file",
|
|
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
|
|
"template_version": "15",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"uuid": "a4420cf2-b1ec-4dde-9895-0935df731c95",
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "md5",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "8412d295-191b-4ede-adfa-a506262e245e",
|
|
|
|
"value": "02c19bbf8e19bb69fc7870ec872d355e"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha1",
|
|
|
|
"timestamp": "1543921762",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "678dc841-7084-4707-9818-43ef4ea08aae",
|
|
|
|
"value": "cc76586ef94122329e825c78aad2ecb9ac064343"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha256",
|
|
|
|
"timestamp": "1543921763",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "b516bbab-9eab-439d-8d02-f4b77297b2e6",
|
|
|
|
"value": "bbd4102fe25e73c0815d0c020d60d47dbbfbe79ef1e490e7b4f97640dd932b58"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "sha512",
|
|
|
|
"timestamp": "1543921763",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "sha512",
|
|
|
|
"uuid": "572f0e04-9432-4935-9b74-94341d46845b",
|
|
|
|
"value": "283681b5b8e78440bf474c8e50504e6e82f25bd3f6240d5e70600e43fc9fd609a78ee7b837c9b68aa25ed13f2ee735f360a18e614ded15e11bb62043cd028c99"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"object_relation": "ssdeep",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "ssdeep",
|
|
|
|
"uuid": "2584285f-5586-4077-b4e3-d8e80c52af81",
|
|
|
|
"value": "6:JF1ZzA+QragXsoNLYjClAVyXHI+CIwZALICLA9XEUXR/JgW:L1J4aSJF+dyXo+Bb0LEUhyW"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Payload delivery",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "filename",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "filename",
|
|
|
|
"uuid": "e9850817-0144-4ea7-a168-b0dff36a6414",
|
|
|
|
"value": "g04inst.bat"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "mimetype",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "mime-type",
|
|
|
|
"uuid": "baf2e0ac-9660-4281-b908-5755f425c677",
|
|
|
|
"value": "ASCII text, with CRLF line terminators"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "entropy",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "float",
|
|
|
|
"uuid": "6d3922b6-21e8-4cbe-af33-403c761fd43c",
|
|
|
|
"value": "4.962735"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Other",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": true,
|
|
|
|
"object_relation": "size-in-bytes",
|
|
|
|
"timestamp": "1543921764",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "size-in-bytes",
|
|
|
|
"uuid": "bd111546-233c-41c8-8f25-3a5ad50bec74",
|
|
|
|
"value": "276"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
2023-12-14 14:30:15 +00:00
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|