1337 lines
233 KiB
JSON
1337 lines
233 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2019-02-22",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - New BabyShark Malware Targets U.S. National Security Think Tanks",
|
||
|
"publish_timestamp": "1551019543",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1551019536",
|
||
|
"uuid": "5c706a30-8ad4-4fcc-9e17-4d3d02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Stolen Developer Credentials or Signing Keys - T1441\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"BabyShark\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:threat-actor=\"STOLEN PENCIL\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871103",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5c706a3f-bfc4-43aa-8158-4ba702de0b81",
|
||
|
"value": "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871120",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "5c706a50-24a0-41c5-abcc-4a8c02de0b81",
|
||
|
"value": "In February 2019, Palo Alto Networks Unit 42 researchers identified spear phishing emails sent in November 2018 containing new malware that shares infrastructure with playbooks associated with North Korean campaigns. The spear phishing emails were written to appear as though they were sent from a nuclear security expert who currently works as a consultant for in the U.S. The emails were sent using a public email address with the expert\u00e2\u20ac\u2122s name and had a subject referencing North Korea\u00e2\u20ac\u2122s nuclear issues. The emails had a malicious Excel macro document attached, which when executed led to a new Microsoft Visual Basic (VB) script-based malware family which we are dubbing \u00e2\u20ac\u0153BabyShark\u00e2\u20ac\u009d.\r\n\r\nBabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871146",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5c706a6a-e8dc-4bdd-b4a6-455002de0b81",
|
||
|
"value": "https://tdalpacafarm.com/files/kr/contents/Vkggy0.hta"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aa9-6d34-4e8e-9eee-4baf02de0b81",
|
||
|
"value": "7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aa9-5228-42ab-9124-429e02de0b81",
|
||
|
"value": "9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aa9-c114-48bf-ad10-414e02de0b81",
|
||
|
"value": "2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aa9-633c-4553-a6d5-4f6002de0b81",
|
||
|
"value": "66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aaa-033c-4199-abb5-47d502de0b81",
|
||
|
"value": "8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aaa-e2bc-4506-85f2-4af102de0b81",
|
||
|
"value": "331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aaa-65e8-447c-bc54-46a502de0b81",
|
||
|
"value": "1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aaa-4ca8-4489-bbde-4c2f02de0b81",
|
||
|
"value": "dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706aaa-090c-47e7-b8ca-4c8f02de0b81",
|
||
|
"value": "94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5c706ada-4610-4c99-a616-416a02de0b81",
|
||
|
"value": "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Decoy Filename",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871438",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5c706b8e-91f8-4722-ac8b-4aff02de0b81",
|
||
|
"value": "Kendall-AFA 2014 Conference-17Sept14.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Decoy Filename",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871438",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5c706b8e-f1a4-404c-9a5d-41a902de0b81",
|
||
|
"value": "U.S. Nuclear Deterrence.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Decoy Filename",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871438",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5c706b8e-e198-4d15-a8d6-4f9702de0b81",
|
||
|
"value": "\u00ec\u00a0\u015330\u00ec\u00b0\u00a8\u00ed\u2022\u0153\u00eb\u00af\u00b8\u00ec\u2022\u02c6\u00eb\u00b3\u00b4 \u00ec\u2022\u02c6\u00eb\u201a\u00b4\u00ec\u017e\u00a5 ENKO.fdp.etadpU.scr (translates to 30th Korea-U.S. National Security Invitation Update)"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Decoy Filename",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871438",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5c706b8e-f3ec-4eb9-9829-4f3f02de0b81",
|
||
|
"value": "Conference Information_2010 IFANS Conference on Global Affairs (1001).pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator. Figure 1, below, shows the flow of execution.",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAABc4AAAOKCAYAAAHVbvP3AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAIdUAACHVAQSctJ0AAP+lSURBVHhe7N0HuBNF+zbwvyi9SZEivVlAFCwgKIIFRVEUC/aGUhRRwN4Vu4INsIEVRPEVEQUUpKioFEEQaUpHkN6Rjvt993PmyZns2bRzkpxNcv+ua67dmS3ZJJvJk83szP85RBmAJzplBJ7olBF4olNG4IlOGYEnOmUEnuiUEXiiU0bgiU4ZIeSJXr169ZCJIvu//2Md4ich3w28UZ07d3Y6deoUlFDONzEyvEbly5d3ChcubEooP4U90b2gvEKFCjzZI9DXZ+/evXytfCBXJzpUqlQpI99APOdonre9TsuWLZ0DBw6YXGTYFt8G4YQ7hilTppg5x/nvv/+cefPmmVzu6ePNmTNH5gsWLBj2GPwm5JGGehIod6dME83zdi+P5XXCuvXr15d5nKheevbsKdMNGzbIFHbt2iXb4kTXx5swYYJMYd++fWbOcQ4ePCjT/fv3y1TzvXv3dr7//nvnr7/+crp06RLYj+5X51NNyCOO9smk4pMOJ5rn0759ezkx3OuWK1dOypAeffRRU5oFJ+ztt98eWI60ceNGszQYlsGAAQNkavvss8/MXLYdO3bIdNasWTK1T/SJEyfKNFoNGzY0c8F0f4D5X375RV6Dl156yZT6W8h31X5i4URaD8tTMUWi60S7fijYdvfu3SYXWV4eK1qo5ZPxOMkU8tnoE61SpYrMeyXQaSjubVIphaPLBw4cKNO8qFatmpmjRAn5buobWa9ePadYsWKeCaI5IVIxhWOv9/nnn0dcX9nb6TbRbkt5E/JVjvYNSLc3Kprn89Zbb5m5bNju77//NrnQ9BsAP/h4kidPxBO9RYsWUqt7JeCblfUa6OuAacmSJWXe/cNx586dQetS8kQ80atWrRp4c9wJdEo5Pfjgg2aOr1N+i3iiR8I3MDRWBv4R9kTHnxGREt9Eb3hdNFH+C3uiR5uI/I5nKWUEnuiUEXiiU0YIeaLjh2asDjvsMDPnOOPHj3cWL15scuFpnI9t4gH7mzFjhvPqq6+aEsp0nie6/r2Plm84aXDS23fK6ImJ6erVqwPzJUqUcCZPnizzOGkvueSSwLp33nmnzF944YUyLVq0qJRjXtc59NBDpXmq5tHmeevWrYH1Mf3nn39kmf4pA/Y+APM1a9Z0XnvtNZnHn15afv7558v8tm3bnOLFi8s82vPAcccdJ1NKP9lnh0VPGtw6B17NSdu0aWPmsunJCDjRL7vsMplH2ZFHHinz7dq1k6lNtylUqJDMjx49WvIrV66UDx3KNNm6du0qUy23WwHWqVNHTnSbrvf0008727dvl3nbuHHjzFze9O/fP5DIH4LPnAwxaNAgzxM9XkJ9MCn/8J1IAJ7o/pOrd2LUqFFmLvn69u1r5uJPbyfLK57o/hP2nfj333+dPn36yHyDBg2cM844Q+Zxy9jzzz8vt1HpPY3oGQCee+455+yzz3bmz5/vrF+/Xsp0CvrmlypVSqbqm2++kel3330n01NPPdXp1auXrH/ttdcG+pMZOnSoTAEhCITap5v+6MQJ/fjjjwd+YMf7hMT+NJE/eL4T5513nkxxor/77rtyNQQnur55ONHvuOOOHDUglnXr1i3QhFd/xOqJ/sMPP8gUN/F6wQ9VXKLEfq655hrnqquuMktycp9E+IHpxV5P5ytWrCgfntNPP13y8YbH0UT+EPU7sWLFCmfmzJlyfRrXx7ds2RJ0V7nehLtnzx5n3bp1ztq1ayUPS5cuNXOO88Ybb8h05MiRMv3iiy9kCthu7ty5Mo8bfO1r+WPHjpUpruysWbNG5pVe3dB9hmJ/MO2bJLxupMgLnuj+w3ciAXii+0++vBPx+tHnVzzR/SfsO4EYHbTfEDeU46TVcANhjS3aO+TRixX+qUT3bW7awxVCJ/j9999lqvCnEkS6Lo57NAHhVyLZJzlPdv/wfBf0zdETHTp06JDjzStSpIjz/vvvO8uWLZO8/qUOWAcnunsbm7vcaz2v7SKpXbu23AIIus/p06dL3paobxZ9zNwcOyVG2HcClw7xZmnbF/wAPeSQQ2QePTrhR+Dy5csljx+f+sZedNFFMv3ggw+cSy+9VC5Lut90fCg++eQTuQKCXq2wHGVDhgwJdMeGMt3Ovb3yKsdVnxo1aphc9jr41gi1n3hL1uNQdPhuUEbgiU4ZIeyJ3qhRIzMXmv4zan9Vh/ra/umnn8xcsGi/5u1r87nFkCIzeb7rdvNSnBh6crhPksGDBwd+0GGZtj9HQpz+8MMP59gGtMx9BcWG3wJNmzYNxO+AP5RCwfqtWrUyOccZM2aMmXOcl19+2cxlrUeZJ+dZaMFJgZMM7bwxtU9abVeiZfYUCe1IcOME/tLXfzi1/25N2s0y9lW6dGnn1ltvlfXQ3EDpjRpLliyRE/3nn3+W8saNG0s56LRt27YyhZNPPlmmuAFDHwP/0Oq6lFmS+q7r3+4ffvihTImShdUbZQSe6AmCEAktJMkfeKIniPv3A+UvvgsJYp/gPNnzH9+BGOGkjebEda+Du65i8eKLLzqzZ882udhhyEV32yPbE088IW38Qz2XSHdraWO6VMETPRdwcuCuK9xlFYr7BEIel0ijhfVxRxbaCek4UoAWoujmQ/OhhmfEcpzMOq/rv/POO87mzZtlHo3ytNzNPtFxswzWw0AGgFarw4cPlz58UoX3s6SI0GcNrv1rXzKHH3544ISKNPhWs2bNAuuGgsZt2DduKdT/DNAaFJ1E6bZ6H60X/c/CXl+HSjziiCPkeHXIey840fW/CNzHi/V0tLrTTjuNJ3qm0BME01hqarcCBQqEPNkofvgK5xJOTq3p8qJfv37OokWLTI4ShSd6LuDkRtK2+NGe7LqdJrQTinZbyhu+yrmkJ6jeXaXtgqKFdRPV3QblxBM9j3DCIqGDVDuP1Lp1aykD9I+j5UcddZQppWThiZ4L9smMFErlypXNXNY2lH/46ueCfYKHO4GjWYeSg+9ALuiJrsmLLtM+JSl/8USnjMATnTICT3TKCDzRKSPwRKeMwBOdMgJPdMoIPNETBG29NSVauI6dKAtP9AQJ9YeSV1koEyZMkCkGI65Vq5Y0573xxhtlOBx0DPXbb7/J2E0YBgd0v9HuP5PwFUkQPaHtky7aE/DLL7+UqZ7ouCMIt9BNnTrV+fHHH6UMUI4uNTACIPY9bdo0Z+HChWYp2XiiJ0heTvTcCjUyCfFET5hQJ7pXOSUeX+0E8TqhMY/hKd3llHh8tRNET2b7hLbL7PJQEKPrAGaPPPJIYBzVOXPmBLq50G6we/ToIVNAlxZw1113yRR69uwp07vvvlumbr1795ZRudHacsSIEaY0m44Vq+PEphqe6AkSywntptvgRK9UqZJTpkwZOdHRFTf6YsGVF/w4xXp6ons9jpbZg5KhTGN5+4etvT3m0W/N6tWrZV6XpXLf8jlfHYoLPUH0JMkN+woK+lFp0qSJDLaAka5xY7Y98IFdoyu9ZQ8nuo7Sp8PXQ5cuXcycE1iOTo/wGPgwbN26VTpQgo8++kimqYonegLYJ3leT3aKD74DCcKT3F/4LiQQT3L/4DtBGYEnOmUEnuhpQruWDpUyHV+BNIETPRSe7DzR0wZP9PB4oqcJPdG9Tmqe6DzR00Yya3TdXzTJL3iiJxDeaB0vKNGSfaKjyYDuE9N///038Dh28mK3mdFmCJdeeqlMYfz48TLVZgdoxKbdc2PImtzgiZ5AeKPDjfwWT+4TXU80jE6n8/Gi+4smeRk1apSZyxofSb322ms5tsM87onVcjRoyw2e6AnkfsMSKZk1Olo26j4jpVDKly8vrTKRAN989evXl3mM66S05SWe39y5c517771X8rHiiZ4Lkd5EZa9jtxpMFD0ur/Tee++ZtcLDjSGRYH86wgeaEmP6ySefBB7LTn7BEz2Xonkj7QFtAesj3oxFsk8WPJ7e7BGKPvdokl/wRM+lunXrytR+M+03+P
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1550871982",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5c706dae-90f4-4374-b312-489102de0b81",
|
||
|
"value": "Figure-1-BabyShark-execution-flow.png"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1551019536",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "5c72ae10-aa9c-4068-853b-4b4602de0b81",
|
||
|
"value": "import \"pe\"\r\n\r\nrule MAL_PE_Type_BabyShark_Loader {\r\n meta:\r\n description = \"Detects PE Type babyShark loader mentioned in February 2019 blog post by PaloAltNetworks\"\r\n author = \"Florian Roth\"\r\n reference = \"https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/\"\r\n date = \"2019-02-24\"\r\n hash1 = \"6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c\"\r\n strings:\r\n $x1 = \"reg add \\\"HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Command Processor\\\" /v AutoRun /t REG_SZ /d \\\"%s\\\" /f\" fullword ascii\r\n $x2 = /mshta\\.exe http:\\/\\/[a-z0-9\\.\\/]{5,30}\\.hta/\r\n\r\n $xc1 = { 57 69 6E 45 78 65 63 00 6B 65 72 6E 65 6C 33 32\r\n 2E 44 4C 4C 00 00 00 00 } /* WinExec kernel32.DLL */\r\n condition:\r\n uint16(0) == 0x5a4d and (\r\n pe.imphash() == \"57b6d88707d9cd1c87169076c24f962e\" or\r\n 1 of them or\r\n for any i in (0 .. pe.number_of_signatures) : (\r\n pe.signatures[i].issuer contains \"thawte SHA256 Code Signing CA\" and\r\n pe.signatures[i].serial == \"0f:ff:e4:32:a5:3f:f0:3b:92:23:f8:8b:e1:b8:3d:9d\"\r\n )\r\n )\r\n}"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "1db36cab-7b13-4758-b16a-9e9862d0973e",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "1db36cab-7b13-4758-b16a-9e9862d0973e",
|
||
|
"referenced_uuid": "aea77d6f-2193-40e9-82c5-59726e0dfd2d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-99e0-49bd-b7ee-4d5002de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "6411ce6c-7a8c-4523-848b-3ebb80b47f65",
|
||
|
"value": "404ab5a93767a986b47c9fec33eb8be9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "a0a8cacd-9d55-4c55-9055-14e08141cc6c",
|
||
|
"value": "0a631b0072cee1e20854b187276a0ba560d6d4f8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "61768832-cc80-4637-a0c4-794253bba246",
|
||
|
"value": "94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "aea77d6f-2193-40e9-82c5-59726e0dfd2d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "4eb49e21-42c9-4653-93da-600ca773ffa9",
|
||
|
"value": "2019-02-22T20:12:18"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "0a0bda5b-9761-44e3-a0da-c365c6fbab76",
|
||
|
"value": "https://www.virustotal.com/file/94a09aff59c0c27d1049509032d5ba05e9285fd522eb20b033b8188e0fee4ff0/analysis/1550866338/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "6fa3c325-b92c-41bd-8ab3-283272c6b440",
|
||
|
"value": "25/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "3b8f6a45-0b7f-4bea-ad61-0369f01cc306",
|
||
|
"referenced_uuid": "7ba926a9-161b-4412-99ff-cee104b6a329",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-9e0c-4b24-b6af-436302de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "d45365f9-5d44-41d1-bbf0-4128f2ecabef",
|
||
|
"value": "d40c20a77371309045f5123af76637b2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "91bd51d5-5847-4c09-8152-0754aca32ffa",
|
||
|
"value": "d1207b7b846b80418b459e9d03e1b5afbd3e97a7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "f46f938e-8d82-4d8a-b996-6343846b798a",
|
||
|
"value": "66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "7ba926a9-161b-4412-99ff-cee104b6a329",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "6e483df8-fa53-4b98-b6da-100b79de2663",
|
||
|
"value": "2019-02-22T20:07:15"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "ce797b8c-fa71-4267-a4ee-94eb6e873e88",
|
||
|
"value": "https://www.virustotal.com/file/66439f0e377bbe8cda3e516e801a86c64688e7c3dde0287b1bfb298a5bdbc2a2/analysis/1550866035/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "86a138ea-5eba-4594-a3fb-e8af55be9dbe",
|
||
|
"value": "20/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "8cc1ffb8-e4b2-4641-a536-ea843ff9bc7a",
|
||
|
"referenced_uuid": "5de67962-66f3-48c8-b33f-734e4b8dc989",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-fc0c-4d62-be6c-425302de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "de3bac84-c7e2-48f8-8d32-116274000be5",
|
||
|
"value": "093ecb712d438ab01b3f07718428dcc7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "14e391d3-7730-4841-8ede-2deb0f3ad706",
|
||
|
"value": "89b9b7f2c3eb275eabe78c04a30dc09281a201e6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "eb9245ad-132c-4279-a3ad-d7f5aa0131cc",
|
||
|
"value": "7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871228",
|
||
|
"uuid": "5de67962-66f3-48c8-b33f-734e4b8dc989",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "0bd77c93-27ad-47e8-bd9d-c38732323fd5",
|
||
|
"value": "2019-02-22T20:03:13"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "155a8b3c-e603-4283-91b2-1a6258b93bf8",
|
||
|
"value": "https://www.virustotal.com/file/7b77112ac7cbb7193bcd891ce48ab2acff35e4f8d523980dff834cb42eaffafa/analysis/1550865793/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "162fe627-abe9-4abb-8095-c39dee340f84",
|
||
|
"value": "22/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "89e0ad73-a186-4959-b978-2311ee49e4af",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "89e0ad73-a186-4959-b978-2311ee49e4af",
|
||
|
"referenced_uuid": "99e0b99b-e1cf-4451-8eec-972978c821d8",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-7c28-48ab-bce2-4c9702de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "2ca5845e-286c-458e-a970-568968a3575f",
|
||
|
"value": "711eb1d89764d45f4ff2622143f744c2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "1ad21473-1980-45ee-a596-fb6890abded1",
|
||
|
"value": "548b64c0f904733dd5433f6f3878487eeda54fa1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "e6c1fd36-35fe-49bc-9483-00dff515a29b",
|
||
|
"value": "1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "99e0b99b-e1cf-4451-8eec-972978c821d8",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "f2a9431e-464e-4ae7-a53f-e24685f03b82",
|
||
|
"value": "2018-11-27T12:07:50"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "2ce90e53-a834-4ac6-9db6-6213d7629ccc",
|
||
|
"value": "https://www.virustotal.com/file/1334c087390fb946c894c1863dfc9f0a659f594a3d6307fb48f24c30a23e0fc0/analysis/1543320470/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "99bd1115-adc9-42b0-9500-878f593f001c",
|
||
|
"value": "22/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "4dbf697b-11ce-447f-85c6-cd02a2365a7f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "4dbf697b-11ce-447f-85c6-cd02a2365a7f",
|
||
|
"referenced_uuid": "1d288045-6e66-43a6-94b7-600044369fa7",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-b378-4ec6-ab67-490f02de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "b9b1470d-a8f1-4aab-aec6-9c20f8452879",
|
||
|
"value": "6b116d471a787eb520869ed5c6965fa8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "2bea0406-889e-4e2a-9ea3-da2cc2e443fc",
|
||
|
"value": "ec4bd72fcb440f47912d06c75a9d56ad86953f70"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6c390d2d-82a8-4fbd-b8c6-cd1f11ca8d0e",
|
||
|
"value": "dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "1d288045-6e66-43a6-94b7-600044369fa7",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "2ca3b301-e08c-4cfa-b005-90ff52d13af0",
|
||
|
"value": "2019-02-22T20:11:49"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "1082dea9-353d-4932-a02c-3f87fe6c059a",
|
||
|
"value": "https://www.virustotal.com/file/dc425e93e83fe02da9c76b56f6fd286eace282eaad6d8d497e17b3ec4059020a/analysis/1550866309/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "9675abe7-0743-435a-881d-bfd772c55225",
|
||
|
"value": "22/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "6860e975-938c-413d-b144-74cde72c25dc",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "6860e975-938c-413d-b144-74cde72c25dc",
|
||
|
"referenced_uuid": "ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-be44-449d-8118-46c202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9d066d52-7b45-425f-96d7-15be7fc74c74",
|
||
|
"value": "1f1f44a01d5784028302d6ad5e7133aa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "f3258f42-f31d-4a7c-9113-c4dc96dacf9c",
|
||
|
"value": "cb1125d5a57a529bf88bf590c0cb675f37261839"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6d73772d-9487-4f05-8917-0040d6f1d3af",
|
||
|
"value": "2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "ee3df33a-a5df-4f0a-887d-9fe0aba2d90a",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "03562590-3096-4587-b05d-11a6e257b5d9",
|
||
|
"value": "2019-02-22T20:04:58"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "bf0ca902-1a55-4640-a8d9-41f0e0f7a29d",
|
||
|
"value": "https://www.virustotal.com/file/2b6dc1a826a4d5d5de5a30b458e6ed995a4cfb9cad8114d1197541a86905d60e/analysis/1550865898/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "68ed8acc-bb3c-4654-b65b-c25b8a3c37cd",
|
||
|
"value": "21/55"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "df5dd372-ecd6-4595-ab34-45bff1decb63",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "df5dd372-ecd6-4595-ab34-45bff1decb63",
|
||
|
"referenced_uuid": "f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-a1b8-45fc-bd1a-45d702de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "dfc28b74-63f1-48d0-b637-eeb604df4e7a",
|
||
|
"value": "76e71cf45e99d03a92c8271998a1caee"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "1eaec0ad-a007-4b29-89da-15b34bc69c18",
|
||
|
"value": "818bfc1fdb8126b58835e77f13afa9435e883919"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "7a651cf8-2950-41c8-b2c5-80ea25c87d99",
|
||
|
"value": "331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "f2146c3b-d6f7-471c-bb4a-2b831e2849f6",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "b1e2fbea-a39d-41ce-a748-bc257b01aa2b",
|
||
|
"value": "2019-02-22T20:10:06"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "9c2da65e-0e42-454e-9b9f-0daafbb29344",
|
||
|
"value": "https://www.virustotal.com/file/331d17dbe4ee61d8f2c91d7e4af17fb38102003663872223efaa4a15099554d7/analysis/1550866206/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871210",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "3e79140e-f74f-4b0b-8e17-496f1058e477",
|
||
|
"value": "9/61"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "3061d73f-2f4f-4c6e-8478-3d5d1e74c1bc",
|
||
|
"referenced_uuid": "a6c1afed-624f-4d81-b96a-4ff02a693e66",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-1b10-4475-8d35-4f1202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "63d6a412-efd3-4c8e-94a3-8a1e15d4dc16",
|
||
|
"value": "1a6f9190e7c53cd4e9ca4532547131af"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "8f650e7b-4a3b-4cd9-af6a-192825d323f9",
|
||
|
"value": "88708e9562a8c4ee4601b3990a664bc63b378753"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "389e4069-cbbf-47a4-87ae-a03ae00575df",
|
||
|
"value": "9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871229",
|
||
|
"uuid": "a6c1afed-624f-4d81-b96a-4ff02a693e66",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "741b8b1f-d387-4dff-9809-a2a5cc0e76f8",
|
||
|
"value": "2019-02-22T20:03:34"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "b55b0030-557e-4368-9429-5e431a631b7e",
|
||
|
"value": "https://www.virustotal.com/file/9d842c9c269345cd3b2a9ce7d338a03ffbf3765661f1ee6d5e178f40d409c3f8/analysis/1550865814/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0f619020-6f30-4b40-a3c0-9f13b13fc9b3",
|
||
|
"value": "22/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "fd57be37-61cc-4452-85b5-518d55586335",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "fd57be37-61cc-4452-85b5-518d55586335",
|
||
|
"referenced_uuid": "e59804a1-c4d9-4228-93bb-1a1f626c25ef",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "5c706abe-c730-41b2-b328-4bb202de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "3015da1a-86da-45d2-8a84-9a1ed0ff02a3",
|
||
|
"value": "056b178bbeea109d705439aa4e203d09"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5b3dd29a-6054-4832-9173-9f6f8d8b7e67",
|
||
|
"value": "5ae5ca0daccfa21706e157a19bdb67e48cbfe137"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "a7c9b4a7-ec51-4f6d-82f3-95946ff53992",
|
||
|
"value": "8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871230",
|
||
|
"uuid": "e59804a1-c4d9-4228-93bb-1a1f626c25ef",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "d2f63c18-56a3-44a8-83b8-bf9bbfe22b05",
|
||
|
"value": "2019-02-22T20:08:55"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "c077dd9c-a1a5-4941-94a7-b69610709486",
|
||
|
"value": "https://www.virustotal.com/file/8ef4bc09a9534910617834457114b9217cac9cb33ae22b37889040cde4cabea6/analysis/1550866135/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Malicious Documents",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871209",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c248a416-67d8-4f60-ab77-8d537265a29a",
|
||
|
"value": "23/60"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1550871270",
|
||
|
"uuid": "56b391e4-f005-4caa-ae12-a90db6664ebd",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "56b391e4-f005-4caa-ae12-a90db6664ebd",
|
||
|
"referenced_uuid": "fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1550871271",
|
||
|
"uuid": "5c706ae7-2e68-4e97-a879-463902de0b81"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9d7f165e-8028-41ba-bade-a9d6f2d94721",
|
||
|
"value": "9f76d2f73020064374efe67dc28fa006"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "c8464fee-b069-490b-9f90-18bbcb7fa57c",
|
||
|
"value": "d96c04952ba0cb61b64bc7f08d7257913d8b7968"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "bb21148d-46b8-4238-bb70-ed8322362dd5",
|
||
|
"value": "6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1550871270",
|
||
|
"uuid": "fd828b7c-f7c6-41d6-8b1e-3c19b0c98b2d",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "17038529-b686-4618-946f-6ac94dddf423",
|
||
|
"value": "2019-02-22T20:15:46"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "45431bd9-aea9-46b1-a9e3-ed17d1fcf05f",
|
||
|
"value": "https://www.virustotal.com/file/6f76a8e16908ba2d576cf0e8cdb70114dcb70e0f7223be10aab3a728dc65c41c/analysis/1550866546/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "PE version loader, signed with stolen certificate:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1550871258",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "f4343cea-ba6d-4c9b-99e8-d7a157be74f3",
|
||
|
"value": "15/68"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|