765 lines
24 KiB
JSON
765 lines
24 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2018-11-29",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Hancitor active again yith new macro - IoCs",
|
||
|
"publish_timestamp": "1543579828",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1543579806",
|
||
|
"uuid": "5c00e9b7-50ac-4aa7-b893-4a63950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0c9200",
|
||
|
"name": "misp-galaxy:tool=\"Hancitor\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Hancitor\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#002642",
|
||
|
"name": "osint:source-type=\"microblog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566479",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5c00f48f-3d78-42e6-aebb-4eee950d210f",
|
||
|
"value": "https://ghostbin.com/paste/z6sox/raw"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566706",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f572-aefc-49bc-b505-4203950d210f",
|
||
|
"value": "appersonpropertiesinc.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566707",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f573-9208-4fc5-a5d4-45fc950d210f",
|
||
|
"value": "g-cals.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566707",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f573-095c-4d84-800e-4858950d210f",
|
||
|
"value": "honeyhillfarmspop.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566708",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f574-ad44-4525-828e-49d1950d210f",
|
||
|
"value": "joincryptofundraiser.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566708",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f574-0bdc-43d6-afca-4b77950d210f",
|
||
|
"value": "joincrytofundraisernow.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566709",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f575-a240-4535-a731-4a0b950d210f",
|
||
|
"value": "joincrytofundraisernow.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566709",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f575-d998-42cf-90d3-4cae950d210f",
|
||
|
"value": "joincrytofundraisernow.us"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566710",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f576-ce8c-4d0a-b51e-4b8b950d210f",
|
||
|
"value": "kenapperson.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566710",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f576-6140-43bc-8345-4134950d210f",
|
||
|
"value": "localloop-wi.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566711",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f577-3104-4a12-b2c4-4d45950d210f",
|
||
|
"value": "localloop-wi.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566711",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f577-cbb8-4e3e-976b-45ba950d210f",
|
||
|
"value": "localloopwi.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566711",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f577-b704-4b31-bfa8-448e950d210f",
|
||
|
"value": "minaskaowners.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566712",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f578-5840-4e81-ab8d-4284950d210f",
|
||
|
"value": "mogamecalls.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566712",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f578-165c-41e2-88a8-4cf8950d210f",
|
||
|
"value": "mybabyguam.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566713",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f579-e980-40d4-848a-492b950d210f",
|
||
|
"value": "satsumasgeorgia.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566713",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f579-e164-4098-916f-4e9f950d210f",
|
||
|
"value": "satsumassales.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566714",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f57a-0110-4dd4-a217-4305950d210f",
|
||
|
"value": "satsumasschoolfundraiser.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Delivery domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543566714",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5c00f57a-b468-4b91-91e2-4441950d210f",
|
||
|
"value": "wilocalloop.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "29qni11",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567512",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f898-a8e8-4fb0-bf2e-4ed3950d210f",
|
||
|
"value": "http://geeventsehin.com/4/forum.php|http://tonshekinar.ru/4/forum.php|http://fidosofwass.ru/4/forum.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567755",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98b-dae8-426f-b451-484e950d210f",
|
||
|
"value": "http://oriton.ru/wp-includes/1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567756",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98c-b284-4198-9be7-4781950d210f",
|
||
|
"value": "http://arsmarri.ru/wp-content/themes/Helix/1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567756",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98c-b898-4260-aff4-4f37950d210f",
|
||
|
"value": "http://bigheartstorage.com/wp-admin/includes/1|http://letortedierica.it/wp-admin/includes/1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567757",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98d-9cfc-4f4b-9cf5-467c950d210f",
|
||
|
"value": "http://bdhsxj.com/wp-content/plugins/wp-no-category-base/1}{b:http://oriton.ru/wp-includes/2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567757",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98d-2c9c-45b4-b952-40e5950d210f",
|
||
|
"value": "http://arsmarri.ru/wp-content/themes/Helix/2|http://bigheartstorage.com/wp-admin/includes/2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567758",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98e-9730-4759-b9fa-4fe7950d210f",
|
||
|
"value": "http://letortedierica.it/wp-admin/includes/2|http://bdhsxj.com/wp-content/plugins/wp-no-category-base/2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567758",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98e-b6ac-4e2c-8dd7-44bd950d210f",
|
||
|
"value": "http://oriton.ru/wp-includes/3|http://arsmarri.ru/wp-content/themes/Helix/3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567759",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98f-1a6c-439a-b1b3-4214950d210f",
|
||
|
"value": "http://bigheartstorage.com/wp-admin/includes/3|http://letortedierica.it/wp-admin/includes/3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543567759",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00f98f-d1f4-477b-95c8-401d950d210f",
|
||
|
"value": "http://bdhsxj.com/wp-content/plugins/wp-no-category-base/3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pony MLU",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543568428",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00fc2c-30e0-404d-84fd-4330950d210f",
|
||
|
"value": "http://geeventsehin.com/mlu/forum.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pony MLU",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543568429",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00fc2d-51ec-48e1-9a2c-452d950d210f",
|
||
|
"value": "http://tonshekinar.ru/mlu/forum.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pony MLU",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543568429",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00fc2d-b064-4415-ad73-4865950d210f",
|
||
|
"value": "http://fidosofwass.ru/mlu/forum.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pony D2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569342",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffbe-990c-4dff-a33a-4de9950d210f",
|
||
|
"value": "http://geeventsehin.com/d2/about.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Pony D2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569342",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffbe-c144-4fde-8dde-4db9950d210f",
|
||
|
"value": "http://tonshekinar.ru/d2/about.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569343",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffbf-be1c-433f-91df-4c19950d210f",
|
||
|
"value": "api2.doter.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569343",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffbf-ad70-4a08-bd63-48a8950d210f",
|
||
|
"value": "beetfeetlife.bit/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569344",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc0-b0d0-46d3-878c-48c9950d210f",
|
||
|
"value": "in.extremas.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569344",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc0-aba8-4f83-b640-40a8950d210f",
|
||
|
"value": "asx.zenjom.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569345",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc1-6fa0-400b-b2ab-40ec950d210f",
|
||
|
"value": "g2.ex100p.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569345",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc1-01cc-45a0-b262-44b8950d210f",
|
||
|
"value": "gif.doter.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569346",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc2-a904-44d3-a973-4698950d210f",
|
||
|
"value": "extra.avareg.cn/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569346",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc2-4110-4b90-ba63-497f950d210f",
|
||
|
"value": "foo.avaregio.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569346",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc2-c930-4f40-8442-45e7950d210f",
|
||
|
"value": "op.iowbased.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569347",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc3-5944-4409-9906-4d39950d210f",
|
||
|
"value": "ws.doter.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569347",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc3-6744-4c15-8e89-4871950d210f",
|
||
|
"value": "f1.cnboal.at/webstore"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1543569348",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00ffc4-1dd4-42e1-b3b9-46d5950d210f",
|
||
|
"value": "xxx.doolop.at/webstore"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1543565255",
|
||
|
"uuid": "5c00efc7-b804-4eee-b209-4f07950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1543565256",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c00efc8-0df4-432b-b5da-4e45950d210f",
|
||
|
"value": "Hancitor is active again with a new macro. I haven't fully analyzed the macro yet, but here are the IoCs I have so far:\r\n(link: https://ghostbin.com/paste/z6sox/raw) ghostbin.com/paste/z6sox/raw"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1543565256",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c00efc8-30c4-4a58-ac9c-445d950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1543565256",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00efc8-85b4-41d7-9c45-4d69950d210f",
|
||
|
"value": "https://mobile.twitter.com/mesa_matt/status/1068180573980631043"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1543565257",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c00efc9-2d9c-4303-9c75-43a3950d210f",
|
||
|
"value": "ghostbin.com/paste/z6sox/raw"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "creation-date",
|
||
|
"timestamp": "1543565257",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "5c00efc9-e678-4354-9c9d-48c9950d210f",
|
||
|
"value": "2018-11-29T17:31:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1543565258",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c00efca-7718-406c-88cf-49f6950d210f",
|
||
|
"value": "Hancitor is active again with a new macro. I haven't fully analyzed the macro yet, but here are the IoCs I have so far:\r\n(link: https://ghostbin.com/paste/z6sox/raw) ghostbin.com/paste/z6sox/raw"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "document",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1543567469",
|
||
|
"uuid": "5c00f86d-ee94-4860-ac73-43c3950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1543567469",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c00f86d-01ac-4de6-b746-4281950d210f",
|
||
|
"value": "a4276750a825c73f465bf67672b06f19613db82c047f9c0daa7c971c1d231fac"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1543567470",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5c00f86e-fae4-4d1e-b388-4744950d210f",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "11",
|
||
|
"timestamp": "1543579798",
|
||
|
"uuid": "01bab117-1ff1-45dd-ab99-543bc32c67e3",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1543579798",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "e7ca7cbf-34cf-44f3-9532-b6bcd731de96",
|
||
|
"value": "9aff54da8d88f6794ce900fd3bf2ad62"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1543579798",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "45a37cc2-b6cf-4fa4-b13c-77d774eab636",
|
||
|
"value": "f403fa334c8804020b9a2f1620ca6a251c34827c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1543579799",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "77cb92ef-099b-4f2b-82ff-399a29b6f85e",
|
||
|
"value": "a4276750a825c73f465bf67672b06f19613db82c047f9c0daa7c971c1d231fac"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1543579799",
|
||
|
"uuid": "e9b584ea-284f-42cc-b56e-8d9a6aa7ffbb",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1543579799",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "e8b48c37-59bf-4e42-a194-35e302aa0472",
|
||
|
"value": "2018-11-29T19:57:53"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1543579800",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "9ca4f760-6bc8-409e-98e5-f580470835eb",
|
||
|
"value": "https://www.virustotal.com/file/a4276750a825c73f465bf67672b06f19613db82c047f9c0daa7c971c1d231fac/analysis/1543521473/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1543579800",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "61b7f264-dbce-48b9-ac65-846bc4a535e8",
|
||
|
"value": "10/58"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|