921 lines
32 KiB
JSON
921 lines
32 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2019-06-17",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Hide \u00e2\u20ac\u02dcN Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP",
|
||
|
"publish_timestamp": "1561132409",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1561132394",
|
||
|
"uuid": "5d0c8dcc-eae0-4020-b1d0-5526950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:botnet=\"Hide and Seek\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:malpedia=\"Hide and Seek\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#22681c",
|
||
|
"name": "\tmalware_classification:malware-category=\"Botnet\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1561106436",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5d0c9804-7248-45ae-ab57-47fa950d210f",
|
||
|
"value": "The Hide \u00e2\u20ac\u02dcN Seek botnet was first discovered in January 2018 and is known for its unique use of Peer-to-Peer communication between bots.\r\n\r\nSince its discovery, the malware family has seen a couple of upgrades, from the addition of persistence and new exploits, to targeting Android devices via the Android Debug Bridge (ADB).\r\n\r\nThis post details a variant of the family first seen on the 21st of February 2019, incorporating two new exploits \u00e2\u20ac\u201c CVE-2018-20062 which targets ThinkPHP installations, and CVE-2019-7238, a Remote Code Execution (RCE) vulnerability in Sonatype Nexus Repository Manager (NXRM) 3 software installations.\r\n\r\nWhile the ThinkPHP exploit has already been seen employed by several Mirai variants, the only other instance of the CVE-2019-7238 vulnerability being exploited in the wild has been by the DDG botnet. Our research, outlined below, shows that the Hide \u00e2\u20ac\u02dcN Seek botnet incorporated this exploit back in February 2019, even before the DDG botnet."
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1561107995",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5d0c9e1b-623c-4552-9a6c-41e1950d210f",
|
||
|
"value": "https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561112162",
|
||
|
"uuid": "5d0cae62-69cc-495e-932c-478e950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cae62-65d0-453e-b1f9-4604950d210f",
|
||
|
"value": "49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561112184",
|
||
|
"uuid": "5d0cae78-e888-4c47-b54e-42b5950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cae78-f5ec-409b-bccd-45c3950d210f",
|
||
|
"value": "d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561112390",
|
||
|
"uuid": "5d0caf46-8778-4c85-b528-41cf950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0caf46-08d4-444f-b7e4-4dbd950d210f",
|
||
|
"value": "1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561113057",
|
||
|
"uuid": "5d0cb1e1-86b0-4d8c-8c6b-4283950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cb1e1-9448-4b04-8d83-4ba5950d210f",
|
||
|
"value": "c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561113085",
|
||
|
"uuid": "5d0cb1fd-b8a8-44a1-bde0-4b6e950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cb1fd-1ae4-4ccc-9499-4fad950d210f",
|
||
|
"value": "0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561113111",
|
||
|
"uuid": "5d0cb217-01d4-460f-bb99-20b8950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113112",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cb218-551c-4b90-b098-20b8950d210f",
|
||
|
"value": "73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561113814",
|
||
|
"uuid": "5d0cb4d6-883c-4e2b-89b6-4bc1950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113814",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cb4d6-e79c-4887-b3e7-4432950d210f",
|
||
|
"value": "500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561113832",
|
||
|
"uuid": "5d0cb4e8-48d8-492e-88e4-48bf950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5d0cb4e8-dba8-48ca-bb59-4336950d210f",
|
||
|
"value": "7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132367",
|
||
|
"uuid": "6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "6f9865b9-4cb9-42cc-9351-1fb8fd4f3b2b",
|
||
|
"referenced_uuid": "360b84b9-09a3-414f-a88d-558b8503d0eb",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "5d0cfd51-0db0-47fc-994d-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "0dd3e75e-87f4-4211-936b-91c59e2cbacd",
|
||
|
"value": "cc4662e589e8fa58d26f1a8d1c0da21f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "ba72e8b1-0e47-454c-b40d-7233e9fe506d",
|
||
|
"value": "15c5554d24169096e756beee8c15e96c6708f06c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "1ea9a5f5-6ca6-411f-b059-f65ca9f01a3b",
|
||
|
"value": "1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "360b84b9-09a3-414f-a88d-558b8503d0eb",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "56d8e60e-215c-4291-8f44-dfeb61084447",
|
||
|
"value": "2019-06-13T22:39:35"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "c1da88a6-b89a-436f-90a0-dac5f2040c94",
|
||
|
"value": "https://www.virustotal.com/file/1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382/analysis/1560465575/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561112390",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "fa401d1d-e971-4d5b-96d4-5f9a142d1c6f",
|
||
|
"value": "34/57"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "c3d5088e-84f5-4ef5-b213-67beb35b4e23",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "c3d5088e-84f5-4ef5-b213-67beb35b4e23",
|
||
|
"referenced_uuid": "46bcd5b2-85e1-4961-ad0c-add96cfc111c",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "5d0cfd51-fde0-41bb-9d22-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "bc2d4f7f-4253-4279-8f85-ab2f89a5f773",
|
||
|
"value": "01a9c99b6c8b812b61ddda76ee5c1899"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "369ecf8c-c9d9-4fd4-8fd4-baee049c1d2a",
|
||
|
"value": "e919ad0e40298f1f79d67c2e8ccdbb0acdde5a2b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "2d444e91-7de6-4b3b-9ab0-6dcf3149ad3b",
|
||
|
"value": "7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "46bcd5b2-85e1-4961-ad0c-add96cfc111c",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "a9cd7679-ab30-44f0-a181-a34756f08f3f",
|
||
|
"value": "2019-06-18T19:16:22"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "052fb771-186d-402c-8be5-02ea4657c5ae",
|
||
|
"value": "https://www.virustotal.com/file/7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7/analysis/1560885382/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561113832",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "22f740bd-ce13-43d6-b566-5d09c5cfd814",
|
||
|
"value": "31/55"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "50675af8-63e6-45fc-8705-fe07a29bcf6a",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "50675af8-63e6-45fc-8705-fe07a29bcf6a",
|
||
|
"referenced_uuid": "5fc7be9f-fde9-45be-a619-1952b90e8506",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "5d0cfd51-f6a8-4fa3-b00f-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "0824e839-dfc1-468f-961c-3ea2b0f4cb85",
|
||
|
"value": "6de70812923df430cff73fcf66830e6d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "846bc2b3-784a-4ca7-8fa4-74deb362a890",
|
||
|
"value": "13cc834fbf30e32146ae1be4a6bbba5b7be41ae3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5a49370f-91f6-4d48-a8bc-da2288c5c840",
|
||
|
"value": "49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "5fc7be9f-fde9-45be-a619-1952b90e8506",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "3c70bbea-cf02-4b93-8295-b3b4a116c77c",
|
||
|
"value": "2019-06-13T22:39:35"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "a330507d-9192-4e56-ad08-eeb3401a64ab",
|
||
|
"value": "https://www.virustotal.com/file/49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f/analysis/1560465575/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561112162",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0ef769b9-de75-41b6-86d4-e97d6edef792",
|
||
|
"value": "29/58"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132368",
|
||
|
"uuid": "9803a8e8-e8b7-4708-9565-3f261694a5cb",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "9803a8e8-e8b7-4708-9565-3f261694a5cb",
|
||
|
"referenced_uuid": "20480301-47fb-4a64-81c9-8aa80a18dc89",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "5d0cfd51-1fe8-4c8c-b957-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "2cf55722-c2ee-43e6-af5c-64e5559b2d34",
|
||
|
"value": "f54c7e19bc1db3b3897b6fe81a403db0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "e76e3d12-005c-48d0-9653-6001c04dcd78",
|
||
|
"value": "20ee3e5634a7a826a68ec858474f65cd58190870"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "7993a25c-189d-4554-afd1-985a7203d623",
|
||
|
"value": "0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "20480301-47fb-4a64-81c9-8aa80a18dc89",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "ad41b356-c3b3-4dcd-855e-7bd45c6d2891",
|
||
|
"value": "2019-06-14T16:31:05"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "4f643b42-1af6-49d6-b5e8-43f72941844a",
|
||
|
"value": "https://www.virustotal.com/file/0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369/analysis/1560529865/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561113085",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "baa30bab-f182-4eb5-bba6-db9551c005d1",
|
||
|
"value": "24/50"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "4e6b8d5b-af14-4a65-833d-5e41861d39a3",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "4e6b8d5b-af14-4a65-833d-5e41861d39a3",
|
||
|
"referenced_uuid": "599d8b4a-50a0-4a83-a25a-dd8b2879fe32",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132370",
|
||
|
"uuid": "5d0cfd52-9d50-414f-b8c0-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "cb308925-fac4-4d04-90d6-8121eaefc9d9",
|
||
|
"value": "7c48b82ee08fbf7b4f4190b0973dfd5c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "a99018bc-7015-4cdb-b361-e179640ab153",
|
||
|
"value": "1b278755efb2fefde2c32be6d0aa329ae35a9fc6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "33312d2c-3757-48fd-acfc-28c1f54aa006",
|
||
|
"value": "d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "599d8b4a-50a0-4a83-a25a-dd8b2879fe32",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "e850ba03-ed6c-474a-ae87-db0f0c31551d",
|
||
|
"value": "2019-06-13T22:39:39"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "4ed5c275-ec23-49f5-accf-23d17dfd73b8",
|
||
|
"value": "https://www.virustotal.com/file/d068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1/analysis/1560465579/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561112184",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "6aeb3a94-650e-4c76-99da-75e53081eaba",
|
||
|
"value": "31/55"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "40227e50-2444-4a4a-80fe-fe4eeddd8a0c",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "40227e50-2444-4a4a-80fe-fe4eeddd8a0c",
|
||
|
"referenced_uuid": "4aaab1e9-b177-41dc-b0a3-891174e327a5",
|
||
|
"relationship_type": "analysed-with",
|
||
|
"timestamp": "1561132370",
|
||
|
"uuid": "5d0cfd52-f5f8-4b7e-883c-60ae950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "d88e8b56-d529-43d3-8c31-c3f270fe4a98",
|
||
|
"value": "784ab23904c34c2033b8ab3fbb18645d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "6f1f6c25-2b58-4555-9488-e418516de2d8",
|
||
|
"value": "75374fe86e63b1c60b02be4ebe3770a58a4423e1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "66169ca8-b034-495d-97f1-f8926aff712b",
|
||
|
"value": "c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "VirusTotal report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "virustotal-report",
|
||
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1561132369",
|
||
|
"uuid": "4aaab1e9-b177-41dc-b0a3-891174e327a5",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "last-submission",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "67e1c498-a970-46de-8907-61e496935893",
|
||
|
"value": "2019-06-21T08:57:11"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "permalink",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "e57632b1-769b-4c66-bd28-0c73fdb20fa5",
|
||
|
"value": "https://www.virustotal.com/file/c082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d/analysis/1561107431/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "detection-ratio",
|
||
|
"timestamp": "1561113057",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "528491e6-7f21-401a-9749-cb93d8c6fa29",
|
||
|
"value": "31/57"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|