misp-circl-feed/feeds/circl/misp/5bbb1f88-fe84-4834-bccd-7916950d210f.json

406 lines
461 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2018-08-20",
"extends_uuid": "",
"info": "OSINT - New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles",
"publish_timestamp": "1539157331",
"published": true,
"threat_level_id": "3",
"timestamp": "1539157322",
"uuid": "5bbb1f88-fe84-4834-bccd-7916950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#2c4f00",
"name": "malware_classification:malware-category=\"Ransomware\""
},
{
"colour": "#3b7500",
"name": "circl:incident-classification=\"malware\""
},
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:ransomware=\"Matrix\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539079531",
"to_ids": false,
"type": "link",
"uuid": "5bbb2419-ffb4-41f3-ae26-215d950d210f",
"value": "https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539079517",
"to_ids": false,
"type": "text",
"uuid": "5bbb4c93-9990-42d6-a210-42cc950d210f",
"value": "A new variant of the Matrix Ransomware has been discovered that is renaming encrypted files and then appending the .FOX extension to the file name. Of particular interest, this ransomware could have the most exhaustive process of making sure each and every file is not opened and available for encrypting. Thankfully, this also makes its encryption process very slow so it could be easier to detect.\r\n\r\nThis ransomware variant was first discovered by security researcher MalwareHunterTeam and is installed through computers running Remote Desktop Services and being openly connected to the Internet. The attackers will scan ranges of IP addresses to find open RDP services and then brute force the password.",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539071519",
"to_ids": true,
"type": "email-src",
"uuid": "5bbc5e1f-dabc-4346-8882-5450950d210f",
"value": "pabfox@protonmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539071519",
"to_ids": true,
"type": "email-src",
"uuid": "5bbc5e1f-777c-421d-9604-5450950d210f",
"value": "foxhelp@cock.li"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539071520",
"to_ids": true,
"type": "email-src",
"uuid": "5bbc5e20-28dc-457e-891c-5450950d210f",
"value": "foxhelp@tutanota.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073048",
"to_ids": true,
"type": "filename",
"uuid": "5bbc6418-2098-45c6-8ed7-602f950d210f",
"value": "%AppData%\\random.vbs"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073049",
"to_ids": true,
"type": "filename",
"uuid": "5bbc6419-1050-491c-83d7-602f950d210f",
"value": "%AppData%\\random.bat"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073049",
"to_ids": true,
"type": "filename",
"uuid": "5bbc6419-bd6c-43d1-a2d7-602f950d210f",
"value": "%AppData%\\random.bmp"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073050",
"to_ids": true,
"type": "filename",
"uuid": "5bbc641a-8154-4851-aadc-602f950d210f",
"value": "%DownloadedFolder%\\.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073050",
"to_ids": true,
"type": "filename",
"uuid": "5bbc641a-b840-4736-a500-602f950d210f",
"value": "%DownloadedFolder%\\.bat"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1539073089",
"to_ids": false,
"type": "text",
"uuid": "5bbc6441-7be4-4677-9ab0-6007950d210f",
"value": "HOW TO RECOVER YOUR FILES INSTRUCTION\r\nATENTION!!!\r\nWe are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED \r\nby our automatic software. It became possible because of bad server security. \r\nATENTION!!!\r\nPlease don't worry, we can help you to RESTORE your server to original\r\nstate and decrypt all your files quickly and safely!\r\n\r\nINFORMATION!!!\r\nFiles are not broken!!!\r\nFiles were encrypted with AES-128+RSA-2048 crypto algorithms.\r\nThere is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!\r\n* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!\r\n* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.\r\n\r\nHOW TO RECOVER FILES???\r\nPlease write us to the e-mail (write on English or use professional translator):\r\nPabFox@protonmail.com \r\nFoxHelp@cock.li\r\nFoxHelp@tutanota.com\r\nYou have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!\r\n \r\nIn subject line write your personal ID:\r\n[id]\r\nWe recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files. \r\n* Please note that files must not contain any valuable information and their total size must be less than 5Mb. \r\n\r\nOUR ADVICE!!!\r\nPlease be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.\r\n\r\nWe will definitely reach an agreement ;) !!!"
},
{
"category": "Payload delivery",
"comment": "Ransomnote",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4gl0SUNDX1BST0ZJTEUAAQEAAAlkAAAAAAIAAABtbnRyUkdCIFhZWiAH1AAMABcACQABAAlhY3NwTVNGVAAAAABTRUMgRlBEIAAAAAAAAAAAAAAAAQAA9tUAAQAAAADTLFNFQyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1jcHJ0AAABIAAAADhkZXNjAAABWAAAAIBkbW5kAAAB2AAAAHpkbWRkAAACVAAAAGJyWFlaAAACuAAAABRnWFlaAAACzAAAABRiWFlaAAAC4AAAABR3dHB0AAAC9AAAABRyVFJDAAADCAAAAgxnVFJDAAAFFAAAAgxiVFJDAAAHIAAAAgxjYWx0AAAJLAAAABR2aWV3AAAJQAAAACR0ZXh0AAAAAENvcHlyaWdodCAoYykgMjAwMyBTYW1zdW5nIEVsZWN0cm9uaWNzIENvLiwgTHRkAGRlc2MAAAAAAAAAJFNhbXN1bmcgLSBOYXR1cmFsIENvbG9yIFBybyAxLjAgSUNNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAdU2Ftc3VuZyBFbGVjdHJvbmljcyBDby4sIEx0ZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAABSAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAfDQAAEMMAAAB01hZWiAAAAAAAABVQQAApCYAABhWWFlaIAAAAAAAACVgAAAY0QAAuQNYWVogAAAAAAAA8z4AAQAAAAEWcGN1cnYAAAAAAAABAAAAAAAAAQADAAcACwARABgAIAApADQAQQBOAF0AbgCAAJQAqQDAANgA8gENASoBSQFpAYsBrwHUAfsCJAJPAnsCqQLZAwoDPQNyA6kD4gQcBFkElwTXBRkFXQWiBeoGMwZ+BssHGgdrB74IEwhqCMMJHQl6CdkKOQqcCwELZwvQDDoMpw0WDYYN+Q5uDuUPXg/ZEFYQ1RFWEdkSXhLmE28T+xSJFRkVqhY/FtUXbRgIGKQZQxnkGocbLBvUHH4dKR3XHocfOh/uIKUhXiIZItcjliRYJRwl4yarJ3YoQykSKeQqtyuOLGYtQC4dLvwv3jDBMacykDN6NGc1VjZINzw4MjkqOiU7IjwhPSM+Jz8uQDZBQUJPQ19EcUWFRpxHtUjRSe9LD0wyTVdOf0+pUNVSBFM1VGhVnlbXWBFZTlqOW9BdFF5bX6Rg8GI+Y49k4mY3Z49o6WpGa6VtB25rb9JxO3KndBV1hXb4eG555ntgfN1+XX/fgWOC6oRzhf+HjokfirKMSI3hj3yRGZK5lFyWAZepmVObAJyvnmGgFaHMo4alQqcBqMKqhaxMrhWv4LGus3+1UrcouQC627y4vpjAe8JgxEjGMsggyg/MAc32z+7R6NPl1eTX5tnq2/Hd++AI4hfkKOY96FTqbeyJ7qjwyvLu9RX3Pvlq+5n9yv//Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgF3APiAwEiAAIRAQMRAf/EABoAAQADAQEBAAAAAAAAAAAAAAACAwQBBQb/xAAYAQEBAQEBAAAAAAAAAAAAAAAAAQMCBP/aAAwDAQACEAMQAAAB9Wzvndc7p+L7BJd5861MvoFKeaS5LpBdWRRkF1ZFcKVwpXClcKVwpXClcKVwpXClcKVwpXClcKV0StmtLFdxFSLlIuVC1ATRgWnDrnQr6TV9JlJcQJoaSl2ktcgWLJFK4UrhSuFK4UrhSuFK4UrhSuFK4UrhSuFK4UrsRenMpcoNCVhSuFK4Us2kLqjinYeMm149DFGzm5vUyD0fOJ130PO0GmJzY2REohXPolTcAAAAAAAAAAAAAEJjNO4Zu6BnhrGSWkZmkZ+aRXRrGeOoY+6xjlqGRrFENQytQw65imOgY5ahzoAAAAAAAAAAAAAKbgBVDQITCntoAonYFVtBzRnGFW1z80acWT5dLnhqynPW8n1pfUjKrDSUap1LlPLN8ZR56lVbQclmsJM9xonGQBnVC5nmWaPP9AArgrLeUxNSvhdXVaShXI0yADLLNYXcr4WWZJF3YRNUqrQCjlHDSzSNHKuGi3LqAM/ahYomXTxbSYI06MBfKms2zhMAAAAAAAAAAAAAAA
"deleted": false,
"disable_correlation": false,
"timestamp": "1539074880",
"to_ids": false,
"type": "attachment",
"uuid": "5bbc6720-8aa4-4c50-b6d9-602f950d210f",
"value": "ransom-note-redacted.jpg"
},
{
"category": "Payload delivery",
"comment": "Ransomnote - Desktop background",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4gl0SUNDX1BST0ZJTEUAAQEAAAlkAAAAAAIAAABtbnRyUkdCIFhZWiAH1AAMABcACQABAAlhY3NwTVNGVAAAAABTRUMgRlBEIAAAAAAAAAAAAAAAAQAA9tUAAQAAAADTLFNFQyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1jcHJ0AAABIAAAADhkZXNjAAABWAAAAIBkbW5kAAAB2AAAAHpkbWRkAAACVAAAAGJyWFlaAAACuAAAABRnWFlaAAACzAAAABRiWFlaAAAC4AAAABR3dHB0AAAC9AAAABRyVFJDAAADCAAAAgxnVFJDAAAFFAAAAgxiVFJDAAAHIAAAAgxjYWx0AAAJLAAAABR2aWV3AAAJQAAAACR0ZXh0AAAAAENvcHlyaWdodCAoYykgMjAwMyBTYW1zdW5nIEVsZWN0cm9uaWNzIENvLiwgTHRkAGRlc2MAAAAAAAAAJFNhbXN1bmcgLSBOYXR1cmFsIENvbG9yIFBybyAxLjAgSUNNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAdU2Ftc3VuZyBFbGVjdHJvbmljcyBDby4sIEx0ZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAABSAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAfDQAAEMMAAAB01hZWiAAAAAAAABVQQAApCYAABhWWFlaIAAAAAAAACVgAAAY0QAAuQNYWVogAAAAAAAA8z4AAQAAAAEWcGN1cnYAAAAAAAABAAAAAAAAAQADAAcACwARABgAIAApADQAQQBOAF0AbgCAAJQAqQDAANgA8gENASoBSQFpAYsBrwHUAfsCJAJPAnsCqQLZAwoDPQNyA6kD4gQcBFkElwTXBRkFXQWiBeoGMwZ+BssHGgdrB74IEwhqCMMJHQl6CdkKOQqcCwELZwvQDDoMpw0WDYYN+Q5uDuUPXg/ZEFYQ1RFWEdkSXhLmE28T+xSJFRkVqhY/FtUXbRgIGKQZQxnkGocbLBvUHH4dKR3XHocfOh/uIKUhXiIZItcjliRYJRwl4yarJ3YoQykSKeQqtyuOLGYtQC4dLvwv3jDBMacykDN6NGc1VjZINzw4MjkqOiU7IjwhPSM+Jz8uQDZBQUJPQ19EcUWFRpxHtUjRSe9LD0wyTVdOf0+pUNVSBFM1VGhVnlbXWBFZTlqOW9BdFF5bX6Rg8GI+Y49k4mY3Z49o6WpGa6VtB25rb9JxO3KndBV1hXb4eG555ntgfN1+XX/fgWOC6oRzhf+HjokfirKMSI3hj3yRGZK5lFyWAZepmVObAJyvnmGgFaHMo4alQqcBqMKqhaxMrhWv4LGus3+1UrcouQC627y4vpjAe8JgxEjGMsggyg/MAc32z+7R6NPl1eTX5tnq2/Hd++AI4hfkKOY96FTqbeyJ7qjwyvLu9RX3Pvlq+5n9yv//Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAQCwsLDAsQDAwQFw8NDxcbFBAQFBsfFxcXFxcfHhcaGhoaFx4eIyUnJSMeLy8zMy8vQEBAQEBAQEBAQEBAQEBA/9sAQwERDw8RExEVEhIVFBEUERQaFBYWFBomGhocGhomMCMeHh4eIzArLicnJy4rNTUwMDU1QEA/QEBAQEBAQEBAQEBA/8IAEQgCMAPIAwEiAAIRAQMRAf/EABkAAQADAQEAAAAAAAAAAAAAAAABAgMEBf/EABgBAQEBAQEAAAAAAAAAAAAAAAABAgME/9oADAMBAAIQAxAAAAHwG989uVquMW+KF7Lk0JnG+IWsZTtmtZ2iayjfOzNerBpDWc7UKNS4tas0l1tcjSyYTGzOUaXaxtvWbwbUuM20rhOtEosZiNLtYLmaTaVpPSnXlaWvPFpvNcbSl5wLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOhSMd961q3rzb4XnpvjedDOGdcdcbnWIodEK563RUlWLi+Gmeue81jPWNq0Fs5ubqJcujDbXOaWtnrlbLS8tKxWdNYrUdFKrS2drz0UTefTzdFzbnbS3550arlfO8trKTrZTQRW64RrlrzwLkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvebxbZIjXMhOhlOsri6M1yXszlPRE3zm1xlbWZ05m+d51jazWEbXjmWvc1rctGuk1zNdDma3s543xZN03zujK5pOmi87a8vNeVmU63OdvaXmdEGDcYOjC5qLgaS0a1azXqzB0LzzPQvNG1152uTKNJM2l2sI2sc5N5wnpm+ZrMuLfOzNtikxbdedfVeZfRnCdNG
"deleted": false,
"disable_correlation": false,
"timestamp": "1539074924",
"to_ids": false,
"type": "attachment",
"uuid": "5bbc6b6c-f4b8-4833-a2f0-6012950d210f",
"value": "fox-background.jpg"
},
{
"category": "Payload delivery",
"comment": "At the end of the encryption process, a random named .vbs file in the %AppData% folder will be launched that is used to register a scheduled task named DSHCA. This schedule task is used to run a batch file with administrative privileges that will perform a cleanup of the computer and to disable various repair features.",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4gl0SUNDX1BST0ZJTEUAAQEAAAlkAAAAAAIAAABtbnRyUkdCIFhZWiAH1AAMABcACQABAAlhY3NwTVNGVAAAAABTRUMgRlBEIAAAAAAAAAAAAAAAAQAA9tUAAQAAAADTLFNFQyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1jcHJ0AAABIAAAADhkZXNjAAABWAAAAIBkbW5kAAAB2AAAAHpkbWRkAAACVAAAAGJyWFlaAAACuAAAABRnWFlaAAACzAAAABRiWFlaAAAC4AAAABR3dHB0AAAC9AAAABRyVFJDAAADCAAAAgxnVFJDAAAFFAAAAgxiVFJDAAAHIAAAAgxjYWx0AAAJLAAAABR2aWV3AAAJQAAAACR0ZXh0AAAAAENvcHlyaWdodCAoYykgMjAwMyBTYW1zdW5nIEVsZWN0cm9uaWNzIENvLiwgTHRkAGRlc2MAAAAAAAAAJFNhbXN1bmcgLSBOYXR1cmFsIENvbG9yIFBybyAxLjAgSUNNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAdU2Ftc3VuZyBFbGVjdHJvbmljcyBDby4sIEx0ZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAABSAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAfDQAAEMMAAAB01hZWiAAAAAAAABVQQAApCYAABhWWFlaIAAAAAAAACVgAAAY0QAAuQNYWVogAAAAAAAA8z4AAQAAAAEWcGN1cnYAAAAAAAABAAAAAAAAAQADAAcACwARABgAIAApADQAQQBOAF0AbgCAAJQAqQDAANgA8gENASoBSQFpAYsBrwHUAfsCJAJPAnsCqQLZAwoDPQNyA6kD4gQcBFkElwTXBRkFXQWiBeoGMwZ+BssHGgdrB74IEwhqCMMJHQl6CdkKOQqcCwELZwvQDDoMpw0WDYYN+Q5uDuUPXg/ZEFYQ1RFWEdkSXhLmE28T+xSJFRkVqhY/FtUXbRgIGKQZQxnkGocbLBvUHH4dKR3XHocfOh/uIKUhXiIZItcjliRYJRwl4yarJ3YoQykSKeQqtyuOLGYtQC4dLvwv3jDBMacykDN6NGc1VjZINzw4MjkqOiU7IjwhPSM+Jz8uQDZBQUJPQ19EcUWFRpxHtUjRSe9LD0wyTVdOf0+pUNVSBFM1VGhVnlbXWBFZTlqOW9BdFF5bX6Rg8GI+Y49k4mY3Z49o6WpGa6VtB25rb9JxO3KndBV1hXb4eG555ntgfN1+XX/fgWOC6oRzhf+HjokfirKMSI3hj3yRGZK5lFyWAZepmVObAJyvnmGgFaHMo4alQqcBqMKqhaxMrhWv4LGus3+1UrcouQC627y4vpjAe8JgxEjGMsggyg/MAc32z+7R6NPl1eTX5tnq2/Hd++AI4hfkKOY96FTqbeyJ7qjwyvLu9RX3Pvlq+5n9yv//Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8IAEQgBfgPQAwEiAAIRAQMRAf/EABsAAQACAwEBAAAAAAAAAAAAAAAEBQIDBgcB/8QAGAEBAQEBAQAAAAAAAAAAAAAAAAIBAwT/2gAMAwEAAhADEAAAAb3bs3evyxWeezpYzN2KlRMfW3aRW3aRUqPrFtzI6UIqVX43JTUVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVKEVIk5tcsWK5tmFckbc2EfI6/UbbPTZD37OnCXsTq5clZ3e7pPn8juHLt5/J7fE86u+hlnA4+gCkh9O2fP/noLK84k91njgPvftyuWKprliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliK5YiuWIrliKnC2+ZtX8tU1TyJudZzk+0RXOVPaRPP7qOD1Ln15q6nw/V4d3Tczf7z5ufX/J69X9jk0O2ssVWlhVT6mq21Pydv5PP3O5Mobj
"deleted": false,
"disable_correlation": false,
"timestamp": "1539076919",
"to_ids": false,
"type": "attachment",
"uuid": "5bbc7337-c298-4840-bfd9-7f7f950d210f",
"value": "create-task.jpg"
},
{
"category": "Payload delivery",
"comment": "This batch file is located in the %AppData% folder as well and will delete shadow volume copies using WMIC, powershell, and vssadmin, remove Windows recovery startup, and delete the VBS file, scheduled task, and itself.",
"data": "/9j/4AAQSkZJRgABAQAAAQABAAD/4gl0SUNDX1BST0ZJTEUAAQEAAAlkAAAAAAIAAABtbnRyUkdCIFhZWiAH1AAMABcACQABAAlhY3NwTVNGVAAAAABTRUMgRlBEIAAAAAAAAAAAAAAAAQAA9tUAAQAAAADTLFNFQyAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA1jcHJ0AAABIAAAADhkZXNjAAABWAAAAIBkbW5kAAAB2AAAAHpkbWRkAAACVAAAAGJyWFlaAAACuAAAABRnWFlaAAACzAAAABRiWFlaAAAC4AAAABR3dHB0AAAC9AAAABRyVFJDAAADCAAAAgxnVFJDAAAFFAAAAgxiVFJDAAAHIAAAAgxjYWx0AAAJLAAAABR2aWV3AAAJQAAAACR0ZXh0AAAAAENvcHlyaWdodCAoYykgMjAwMyBTYW1zdW5nIEVsZWN0cm9uaWNzIENvLiwgTHRkAGRlc2MAAAAAAAAAJFNhbXN1bmcgLSBOYXR1cmFsIENvbG9yIFBybyAxLjAgSUNNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAdU2Ftc3VuZyBFbGVjdHJvbmljcyBDby4sIEx0ZAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAABSAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAfDQAAEMMAAAB01hZWiAAAAAAAABVQQAApCYAABhWWFlaIAAAAAAAACVgAAAY0QAAuQNYWVogAAAAAAAA8z4AAQAAAAEWcGN1cnYAAAAAAAABAAAAAAAAAQADAAcACwARABgAIAApADQAQQBOAF0AbgCAAJQAqQDAANgA8gENASoBSQFpAYsBrwHUAfsCJAJPAnsCqQLZAwoDPQNyA6kD4gQcBFkElwTXBRkFXQWiBeoGMwZ+BssHGgdrB74IEwhqCMMJHQl6CdkKOQqcCwELZwvQDDoMpw0WDYYN+Q5uDuUPXg/ZEFYQ1RFWEdkSXhLmE28T+xSJFRkVqhY/FtUXbRgIGKQZQxnkGocbLBvUHH4dKR3XHocfOh/uIKUhXiIZItcjliRYJRwl4yarJ3YoQykSKeQqtyuOLGYtQC4dLvwv3jDBMacykDN6NGc1VjZINzw4MjkqOiU7IjwhPSM+Jz8uQDZBQUJPQ19EcUWFRpxHtUjRSe9LD0wyTVdOf0+pUNVSBFM1VGhVnlbXWBFZTlqOW9BdFF5bX6Rg8GI+Y49k4mY3Z49o6WpGa6VtB25rb9JxO3KndBV1hXb4eG555ntgfN1+XX/fgWOC6oRzhf+HjokfirKMSI3hj3yRGZK5lFyWAZepmVObAJyvnmGgFaHMo4alQqcBqMKqhaxMrhWv4LGus3+1UrcouQC627y4vpjAe8JgxEjGMsggyg/MAc32z+7R6NPl1eTX5tnq2/Hd++AI4hfkKOY96FTqbeyJ7qjwyvLu9RX3Pvlq+5n9yv//Y3VydgAAAAAAAAEAAAAAAAABAAMABwALABEAGAAgACkANABBAE4AXQBuAIAAlACpAMAA2ADyAQ0BKgFJAWkBiwGvAdQB+wIkAk8CewKpAtkDCgM9A3IDqQPiBBwEWQSXBNcFGQVdBaIF6gYzBn4GywcaB2sHvggTCGoIwwkdCXoJ2Qo5CpwLAQtnC9AMOgynDRYNhg35Dm4O5Q9eD9kQVhDVEVYR2RJeEuYTbxP7FIkVGRWqFj8W1RdtGAgYpBlDGeQahxssG9Qcfh0pHdcehx86H+4gpSFeIhki1yOWJFglHCXjJqsndihDKRIp5Cq3K44sZi1ALh0u/C/eMMExpzKQM3o0ZzVWNkg3PDgyOSo6JTsiPCE9Iz4nPy5ANkFBQk9DX0RxRYVGnEe1SNFJ70sPTDJNV05/T6lQ1VIEUzVUaFWeVtdYEVlOWo5b0F0UXltfpGDwYj5jj2TiZjdnj2jpakZrpW0Hbmtv0nE7cqd0FXWFdvh4bnnme2B83X5df9+BY4LqhHOF/4eOiR+KsoxIjeGPfJEZkrmUXJYBl6mZU5sAnK+eYaAVocyjhqVCpwGowqqFrEyuFa/gsa6zf7VStyi5ALrbvLi+mMB7wmDESMYyyCDKD8wBzfbP7tHo0+XV5Nfm2erb8d374AjiF+Qo5j3oVOpt7InuqPDK8u71Ffc++Wr7mf3K//9jdXJ2AAAAAAAAAQAAAAAAAAEAAwAHAAsAEQAYACAAKQA0AEEATgBdAG4AgACUAKkAwADYAPIBDQEqAUkBaQGLAa8B1AH7AiQCTwJ7AqkC2QMKAz0DcgOpA+IEHARZBJcE1wUZBV0FogXqBjMGfgbLBxoHawe+CBMIagjDCR0JegnZCjkKnAsBC2cL0Aw6DKcNFg2GDfkObg7lD14P2RBWENURVhHZEl4S5hNvE/sUiRUZFaoWPxbVF20YCBikGUMZ5BqHGywb1Bx+HSkd1x6HHzof7iClIV4iGSLXI5YkWCUcJeMmqyd2KEMpEinkKrcrjixmLUAuHS78L94wwTGnMpAzejRnNVY2SDc8ODI5KjolOyI8IT0jPic/LkA2QUFCT0NfRHFFhUacR7VI0UnvSw9MMk1XTn9PqVDVUgRTNVRoVZ5W11gRWU5ajlvQXRReW1+kYPBiPmOPZOJmN2ePaOlqRmulbQdua2/ScTtyp3QVdYV2+HhueeZ7YHzdfl1/34FjguqEc4X/h46JH4qyjEiN4Y98kRmSuZRclgGXqZlTmwCcr55hoBWhzKOGpUKnAajCqoWsTK4Vr+CxrrN/tVK3KLkAutu8uL6YwHvCYMRIxjLIIMoPzAHN9s/u0ejT5dXk1+bZ6tvx3fvgCOIX5CjmPehU6m3sie6o8Mry7vUV9z75avuZ/cr//2R0aW0AAAAAB9QADAAXAAkABwAPdmlldwAAAAAFdU1zBb6WlwY/fZoBF3XkASYeHgE/5ewAAAAC/9sAQwAFAwQEBAMFBAQEBQUFBgcMCAcHBwcPCwsJDBEPEhIRDxERExYcFxMUGhURERghGBodHR8fHxMXIiQiHiQcHh8e/9sAQwEFBQUHBgcOCAgOHhQRFB4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e/8IAEQgBwAThAwEiAAIRAQMRAf/EABwAAQADAQEBAQEAAAAAAAAAAAAEBQYDAgEIB//EABgBAQEBAQEAAAAAAAAAAAAAAAABAwIE/9oADAMBAAIQAxAAAAGysOnb2eSK9+7OLp9Xk++Y+vHg7I0o+JXmo6VHjy6+6jpQiuvGPqUqKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCKlCK7ypa5YornWYVyR7liJVbzrIcPvGnbgs9PP/HUZMv7T0Tu7krS67d8/z2y2DPXB9tsj+cz9utxPzbjA+P6CSnqNer+eev6C5v8AN/f9A61gLLWrK5YrzXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLEVyxFcsRXLE
"deleted": false,
"disable_correlation": false,
"timestamp": "1539077522",
"to_ids": false,
"type": "attachment",
"uuid": "5bbc7592-d148-4e53-83d3-7fe6950d210f",
"value": "cleanup-batch-file.jpg"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1539072768",
"uuid": "5bbc6300-c92c-4478-9d96-5456950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1539072768",
"to_ids": true,
"type": "sha256",
"uuid": "5bbc6300-59d4-485c-bdb8-5456950d210f",
"value": "0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1539072769",
"to_ids": false,
"type": "text",
"uuid": "5bbc6301-77a0-4c6e-96c0-5456950d210f",
"value": "Malicious"
}
]
},
{
"comment": "Ransomnote",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "15",
"timestamp": "1539072918",
"uuid": "5bbc6396-dbdc-46ee-b882-60c7950d210f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1539072918",
"to_ids": true,
"type": "filename",
"uuid": "5bbc6396-76a8-4746-a3e6-60c7950d210f",
"value": "#FOX_README#.rtf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1539072922",
"to_ids": false,
"type": "text",
"uuid": "5bbc639a-f928-4a2f-94fd-60c7950d210f",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1539157295",
"uuid": "12119283-9931-40f3-bff6-97439d358a0d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "12119283-9931-40f3-bff6-97439d358a0d",
"referenced_uuid": "b26bb70c-ce60-4296-a44f-16928c6826f0",
"relationship_type": "analysed-with",
"timestamp": "1539157299",
"uuid": "5bbdad33-8950-4e3b-917b-4b9602de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1539157292",
"to_ids": true,
"type": "md5",
"uuid": "d2931bcc-ce43-400b-a94d-956645ef35a5",
"value": "76b640aa00354e46b29ca7ac2adfd732"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1539157297",
"to_ids": true,
"type": "sha1",
"uuid": "e80c6f2f-d9b5-4d49-b8f0-0e6edb3b3846",
"value": "afebf9d72ba7186afefebf4deda87675621b0b8b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1539157297",
"to_ids": true,
"type": "sha256",
"uuid": "c48bdc71-5bc5-41a0-b309-d009f2090103",
"value": "0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1539157298",
"uuid": "b26bb70c-ce60-4296-a44f-16928c6826f0",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1539157298",
"to_ids": false,
"type": "datetime",
"uuid": "e2030b2e-550b-4a1b-a93e-1c02dee0ad73",
"value": "2018-09-27T06:49:04"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1539157298",
"to_ids": false,
"type": "link",
"uuid": "67045a09-7660-427b-9976-0c4217fbbb3c",
"value": "https://www.virustotal.com/file/0b03bf1c7b596a862978999eebfa0703e6de48912c9a57e2fed3ae5cd747bea7/analysis/1538030944/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1539157299",
"to_ids": false,
"type": "text",
"uuid": "ca8b504d-51aa-4e7b-976d-6953f54b7fd2",
"value": "48/68"
}
]
}
]
}
}