545 lines
24 KiB
JSON
545 lines
24 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2019-12-04",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Malicious PyPI packages",
|
||
|
"publish_timestamp": "1575466990",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1575466984",
|
||
|
"uuid": "5de7883b-22bc-4264-995c-4d1f950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Other Network Medium - T1011\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00497f",
|
||
|
"name": "osint:source-type=\"source-code-repository\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#007ad2",
|
||
|
"name": "osint:certainty=\"100\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Name of the malicious package",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1575455130",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5de78960-6df8-4e53-8db2-4f31950d210f",
|
||
|
"value": "python3-dateutil"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Name of the malicious package",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1575455120",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5de78990-431c-448b-a460-4da1950d210f",
|
||
|
"value": "jeIlyfish"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "It stores PGP and SSH keys it found on the system in this file",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1575457380",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5de78c7c-6d88-48c2-98d0-47a0950d210f",
|
||
|
"value": "Downloads/ITDS-2018-10-15-DRACO_SRV1-362.pfx"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575456697",
|
||
|
"uuid": "5de7889b-eb5c-4934-b531-483b950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de7889b-eb5c-4934-b531-483b950d210f",
|
||
|
"referenced_uuid": "5de788c9-2964-40a3-8c7b-44ac950d210f",
|
||
|
"relationship_type": "downloaded-from",
|
||
|
"timestamp": "1575456697",
|
||
|
"uuid": "5de78fb9-7e18-419a-9f4a-2265950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575454876",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5de7889c-86b4-4eed-8a83-41b4950d210f",
|
||
|
"value": "https://gitlab.com/olgired2017/aeg_wandoo_dag_m3/raw/master/hashsum"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575454921",
|
||
|
"uuid": "5de788c9-2964-40a3-8c7b-44ac950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575454921",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5de788c9-1174-4994-b700-4381950d210f",
|
||
|
"value": "http://bitly.com/25VZxUbmkr"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575465734",
|
||
|
"uuid": "5de788fd-e140-45b5-ac4b-47f2950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575465734",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5de788fd-ba44-4579-90a0-44b8950d210f",
|
||
|
"value": "https://github.com/dateutil/dateutil/issues/984"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575465757",
|
||
|
"uuid": "5de78919-6560-4e2d-80b6-4ecd950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575465747",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5de78919-e768-4151-84de-455e950d210f",
|
||
|
"value": "https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575457010",
|
||
|
"uuid": "5de789bc-ea08-4bf7-9688-4ce8950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de789bc-ea08-4bf7-9688-4ce8950d210f",
|
||
|
"referenced_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"relationship_type": "downloads",
|
||
|
"timestamp": "1575456525",
|
||
|
"uuid": "5de78f0d-0398-462f-b93a-2265950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de789bc-ea08-4bf7-9688-4ce8950d210f",
|
||
|
"referenced_uuid": "5de78960-6df8-4e53-8db2-4f31950d210f",
|
||
|
"relationship_type": "is-in-relation-with",
|
||
|
"timestamp": "1575457009",
|
||
|
"uuid": "5de790f1-a4c4-467f-ad1a-3b68950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575455165",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5de789bd-d848-4fc8-8280-45ae950d210f",
|
||
|
"value": "https://pypi.org/project/python3-dateutil/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575456989",
|
||
|
"uuid": "5de789d2-0f30-41e3-bcd5-45df950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de789d2-0f30-41e3-bcd5-45df950d210f",
|
||
|
"referenced_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"relationship_type": "downloads",
|
||
|
"timestamp": "1575456476",
|
||
|
"uuid": "5de78edc-a790-4d06-8869-2265950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de789d2-0f30-41e3-bcd5-45df950d210f",
|
||
|
"referenced_uuid": "5de78990-431c-448b-a460-4da1950d210f",
|
||
|
"relationship_type": "abuses",
|
||
|
"timestamp": "1575456989",
|
||
|
"uuid": "5de790dd-d8d0-48ca-a7fe-3b68950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575455186",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5de789d2-f6a0-4375-b60b-414a950d210f",
|
||
|
"value": "https://pypi.org/project/jeIlyfish/"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1575456666",
|
||
|
"uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"referenced_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"relationship_type": "downloads",
|
||
|
"timestamp": "1575456343",
|
||
|
"uuid": "5de78e1a-df14-4613-bc67-4246950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"referenced_uuid": "5de7889b-eb5c-4934-b531-483b950d210f",
|
||
|
"relationship_type": "downloaded-from",
|
||
|
"timestamp": "1575456666",
|
||
|
"uuid": "5de78f9a-3ac8-46aa-bf19-2265950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"data": "UEsDBBQACQAIAPhThE+gjToZwgYAAKsLAAAgABwAMTMyZmFmY2E5OGY1OGFhM2MzOWIyYjZmMTY4YzVhOWJVVAkAAxOL510Ti+dddXgLAAEEIQAAAAQhAAAADyw4SDhBMwmGCAIZiIm23DZ+r6Y6n2DKo9vNppRtndVcm1cDJxt4pxRYqlVN/oA1SZtLjSDlR0HnfEM5dzFkSXOOYgOovyS7bNy4go8qkCKfnWYsM7UhPLAvwc5q3ZUFq+wgB+OQP9e7XAMzLIWDww/uArI+loWgqo5ndCk3VuNp/sstVv6VqfNSh0Igcc+SRu5aZzvgnJN1/JmvJlnMPxohRt7LRjV1ERMMhaNwqnAlz2LiY4GkSNOdWMJBppJtFlnwwBcZVuU54nZ6xwy+Ow4kolEjjVp57lFySx46MpJNe1wtr/huUSWIaIvikJ4740XmU3zck+CE1oQlMqjJ/NpdX7TA4Q0zzWe66ICMq+NjYOZ0GEi2ILP5Pw1QmK2Fcamy0kKV6EntVDWqq5/72BMfhVqGfySpNH0pTNoFrpIjaQjUeINeLvsnN1jbIWpLJNozCi90hlJltwmQxPo1zU+X3oZ+2JUsOWpGAcA+Op3xdqSS6aV6UxXURLE/oybRK0chqH8+30ewJojF1FwRFCI251t36L4paBJ3AH1JKDppBbjy1l0hrWaa5C7SVoqd36WXTNsZOggUNr5qL57qoEBMgPeQHXBTGQOMONMDxerxTnr1cEyA8zJAg+Qxd1Gb50ux4NUVwW1Wx0YxmY1lDDFw68F4nx/ULYQGRmmzKTlpCC8gj5keNX3nz5CyWgWmb9k1wQ2UKUUVeyb3EVHKfAwKVef901yRx5YJfkrroVc9FiXYJ4UGtkB6k+aLdnzO2MeliwfgLUTFK9H4krezzo0kxjKWTMTXscYJzq91tYI8+zrkR3TRpEafeDDTvphwTsRF77zFcFMq7bDUDBrr9y8qsqtEbc6CGgSJQ5NqBKq5MvN8dAp+G4QwkEowfLbRc68M0Rr4NBHmKaOhLa44Tuc6WeQZAaw4m6zQNb+EwuZpWeKvqvLYpEbtMrZWSua4GVNTHQbr7hWK6DAdmF66GJqlT9oLwid56uHq111Ofg2T+siZjbocmjbHtPrnF9hrq0Vzmpf8++A6F8CLgnSoyzhbH/sEbZ+AO2POEAY7l/Hx+K6q8qJwJY5pkeO3tkkBQB1p6pES5JRQAj8cLU6yLke84JuZaIEO2rqrQ+Tf+7asWEpxpE7HHM2PN31NeOXVbc338mdopKDd+L9RaRQ65SfbGy8hxgoXM6Hv1c5L4qOfHbmnXL055TrXdbyYCxgbxeZLmEDSnD6oEs8O0ij6yB+8JVPJ6TIduIiS6XNm6F+zNov0vwUfMBQJiLf4C5Yo1LLsmljkCk2O2aKU5f2n5R+K7wHE7IeMm2kibBft08rbJTT4M3eLl04H0zNMEY0F+ZxFXVs+8pgHnpRLcYQXVDnyZzyUfXbtITqKq4vuYfImSFhCDtadBe75Q2BR09zxt1Q4o1tjxcqD1fH0l8BsMfwAmPnPR7LiuHUBXXVo4C3VTm418rMcWNHgBd8wEhwJp6zUMFr/NwlkGP1fdIMwiYjRBijUWL+R041avp6ouJ7BxK9pXOqmaBd135hPrOaQxT6cGrfxkR1t4ioWd6jVNhc324W8VqS86i2CoottklxEHAO10LvW4BsNDVGCyjhXklji8CcqfyrRblfaNB9eoufG6V66mAOchNpa7JTZQez2HLwcUKxWY97GUj5tY+wDgTBvL6X5H02ZyPfg4sqoMa3QPWf4XUN9Pof3GFgmguA/TuWms7EL8XtE5cSFTAgh3hLRutS567UUS5AHM58TSMT0bnL9XGV8XCk0TXAtEJ3gCJ3P0mhqE7pyA4HpkxkpJfHOsdlSovSmUX1vY2JRygTX+aIj/46bbvt90a7Bi1f1HjX+b1+2o4R7AW4UDfJeqHdNbuN9ijNYL1UcyySXAtqnomnSK/vUaEpCb1nC4pszjtRSSNt1HG9N7i6lutIRoW0uQKwcdYvN3fBgD/As/ksT9QQEJbzt6h/xb6IdU8JyG35yOkdlJjZrg9+jOjpxYCAI0SzVWSTUk7zWrmxQjn/mujL+DB0wvyrlPjLHEj8PhlAM8ItZuVxXDS25GezgObmZSg/BS/Uf6EetUXxmBSemS9HZ03HSe/vBMMZFeQgeA/Bc2vS9JNGDXUyJt8x2e8pIIWDKqCog6GlEyFjB5MzGkk3hEcCc189alAj/bWrtS+cxt9ya/gK19pz7UdEpJT8bCZO/ENieSmBfHDghFs+eGYK4jwsdosJ2qdulRmHgXi7jkPA8DFJ8nkeYPtztQnbbkixSFrJgEHWJtk4Gnsgj2MdCDvBOuUnOXmQWR35VSw0b3XDOStc4hYiQhpRqMMpQSwcIoI06GcIGAACrCwAAUEsDBAoACQAAAPhThE+vAoGREwAAAAcAAAAtABwAMTMyZmFmY2E5OGY1OGFhM2MzOWIyYjZmMTY4YzVhOWIuZmlsZW5hbWUudHh0VVQJAAMTi+ddE4vnXXV4CwABBCEAAAAEIQAAAOAT4Gvlk6cv5HU9d9Tku8uLrXlQSwcIrwKBkRMAAAAHAAAAUEsBAh4DFAAJAAgA+FOET6CNOhnCBgAAqwsAACAAGAAAAAAAAQAAAKSBAAAAADEzMmZhZmNhOThmNThhYTNjMzliMmI2ZjE2OGM1YTliVVQFAAMTi+dddXgLAAEEIQAAAAQhAAAAUEsBAh4DCgAJAAAA+FOET68CgZETAAAABwAAAC0AGAAAAAAAAQAAAKSBLAcAADEzMmZhZmNhOThmNThhYTNjMzliMmI2ZjE2OGM1YTliLmZpbGVuYW1lLnR4dFVUBQADE4vnXXV4CwABBCEAAAAEIQAAAFBLBQYAAAAAAgACANkAAAC2BwAAAAA=",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "malware-sample",
|
||
|
"timestamp": "1575455507",
|
||
|
"to_ids": true,
|
||
|
"type": "malware-sample",
|
||
|
"uuid": "5de78b13-060c-4e1e-8505-4f57950d210f",
|
||
|
"value": "hashsum|132fafca98f58aa3c39b2b6f168c5a9b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1575455508",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5de78b14-b40c-4ed5-87d7-4149950d210f",
|
||
|
"value": "hashsum"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1575455508",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5de78b14-4ee8-4e74-be91-42b7950d210f",
|
||
|
"value": "132fafca98f58aa3c39b2b6f168c5a9b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1575455508",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5de78b14-a2c0-4da1-9a01-4bc3950d210f",
|
||
|
"value": "47bddd8311cc683a401eacce51c5f7df49170fc7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1575455508",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5de78b14-827c-4557-b717-48e2950d210f",
|
||
|
"value": "e8ec763a658519d9a11284f4e000f4be41e86b5c726904b6d178824eefd738da"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1575455508",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5de78b14-5ab8-4b98-bc19-431b950d210f",
|
||
|
"value": "2987"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "file unpack",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "17",
|
||
|
"timestamp": "1575456947",
|
||
|
"uuid": "5de78bdc-b330-495c-94b0-43dc950d210f",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de78bdc-b330-495c-94b0-43dc950d210f",
|
||
|
"referenced_uuid": "5de78b13-9320-49f1-abff-420a950d210f",
|
||
|
"relationship_type": "extracted-from",
|
||
|
"timestamp": "1575456631",
|
||
|
"uuid": "5de78f77-6908-45bc-ac27-2265950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "5de78bdc-b330-495c-94b0-43dc950d210f",
|
||
|
"referenced_uuid": "5de78ce3-9f74-4f4b-a05b-4b15950d210f",
|
||
|
"relationship_type": "exfiltrates-to",
|
||
|
"timestamp": "1575456737",
|
||
|
"uuid": "5de78fe1-c3cc-4011-98d6-29ff950d210f"
|
||
|
},
|
||
|
{
|
||
|
"comment": "is exfiltrated",
|
||
|
"object_uuid": "5de78bdc-b330-495c-94b0-43dc950d210f",
|
||
|
"referenced_uuid": "5de78c7c-6d88-48c2-98d0-47a0950d210f",
|
||
|
"relationship_type": "uploads",
|
||
|
"timestamp": "1575456947",
|
||
|
"uuid": "5de790b3-c8f4-4298-9c05-3b68950d210f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"data": "UEsDBBQACQAIAGRUhE8iCGicpgUAAIMPAAAgABwAYTVjZTM0NTQ1YzViMDZlOThmNjBjOTNjMGRiMTRiZTVVVAkAA9yL513ci+dddXgLAAEEIQAAAAQhAAAAq/Of/EYMXqQBEOliyLKgWAHuAor4s8XGusnt8O1xokRyL/TcFVixsmPwyVuTlnGGvZvUTJlOMAuvXUBirzWbp05ZkINjv1RVVguGwCRHvukLKqgCgUrb+8izwv5oNZhEehide7oI3T+VblZSKGhElAeNhN+ZY6NlrLTd9ZfYMryN8szapPX4nSxImABtLq64OHQy5ZW3Bf3rBiIm7wEVRiy0tCMw8rNOd72YyHQWqPMAXv3Xn83Jywp9FoTopnliU4ttUc+vfRaggu8Di1RG1QaCiMkHnj2GzXBDZboLbTzy9RbN8Hp/XIcxmlItoxvWZV4Gve/1DWu+LA7gl66e/XfVSmHNOt25OqBXEzllZYfg1GMw6kjwmMCy/C634UmzKXQrqoT2EezQxBw2kdoTuaK68twy4qYYSDWQtpdYuxfWzOlA0tRxDEHCopETNg6nkslNmbXCDPg5DN2YNvY2Lx2t+vXqnWGmUHrwmmI2LeLzHTfjYd99/n/72q6bJOiC38FgKGf4t5VjIqvP2eQUS1Fgf26KdU2eyy1MrywU/OHK5fwonNeX9rM7VBl/IbXBOZ7Gvq3F5Xi8PX6BDc5hTdd4NnOABxJIOz9WZo1qokWJ/yqp4COv8kb5zA842Tbkdc4rFGhIeV/odhC3NNfQdMd7cBhFwXyG4K2uKy2Z8xQcwUyfp6AEKCHFrlIj/fKEgzI6iaOQUjYwTCrLXvByOL3HJsbk0Nrn3UL4ycknyDCqCGGYlkqP88dO/kmeLFd3kzrerJKo6/eBP5JEQmHY450pCA81/A0a/jg1/CJHdKtmd8C90+C94Akun5A/HA4+L932X87PPSAYHM0eB1DTh7VDRM7Byt2dVU5h9t3CZKPWGRvAKF1rppWlciJGMqSr9gBhMJl7/pxfULhErnN01kzgcoHaAhW+3T4acWVkvmy4IagjA9Kgh5vH/suIRIY8vKvqaHH15z/9sK6RuAiClqtWYYwEI1dbjHwTj3138062N96FJCjqXsTQ37mSJ+lNPuHG/d5rkzwnTbPG/9zZ+g9Jt/Bw7RDUopkL8I03HcWuyqQMPGmxsX6lZ1G5iVwhj0paPPTHw709c+YJ+dbyCJEcILVUsE/aCPMZU/0e5v5IIKxVjmKLfumqphqQjvIo/AX4Bm0JvvwosYT99lTkRlLeZpyEdTp9An79FS1JFgrCRAWqGgq2bHcIw+Qmbia4Sn5R9hpvDEBQ9BhhNJermMR+saOoV0imioS4mPaTEv3TmZBz4y5HkvrntChCToEZNPKL0jhjEoCtXCQE79dydhl88RAjhn0E2rcBiwyetEqcD97F4dXY6tq4+VH6s5rIudoC/oq0BbFDt5HstXIY/949SzBNZA+nIpN7Ki6p5YxDu6o2sist8rwKWSHjLGtmOUjLh6yL4NN0wivTPvQjbf+QJTTb2K7EU+bOoqJP+lrpoQ5JoO5rsGt7RVDBPIoHoo4keHhY6r/z9de8mumLgmAy9a6EXu+lM932nWGYugxhGxru/xGrovBnvN7vUQV0hxSF40BcmjlUx7k/zrT6qqsp33ccmFLVlQu2ogdKSlZlaniA6X1GihTCHieXZm+jCw2Cxa7K32lPxdmgWOHxyhLzs+oJHfpkkwpj4wYzn3SNuFTkfsN+46UgS2Wbl9O+YGVZuDDD8AsaSER5RvQfBP0GsolEFfZiRJanVdvUuCaytlPIayhkCSZUir2bgxxdekhp4oJTReL2fSd38viWkte2AJOATUTCSXrepEAk4Lx30AdX1j8txqQYhrjCb3Ke3RA7Giyq5HxnNyLKWhNIMCJ9/At5xO2xcdXaIVDLq5Y0wzvwg6LO9VUQ+bKTgVpWaze+dGRtj6b7JYWxDhy4MLMW6TJIoIe198XL5TVRjujwPImT2rdETNa6oXJDFLwWSqYZxtdTUEsHCCIIaJymBQAAgw8AAFBLAwQKAAkAAABkVIRPdniauxQAAAAIAAAALQAcAGE1Y2UzNDU0NWM1YjA2ZTk4ZjYwYzkzYzBkYjE0YmU1LmZpbGVuYW1lLnR4dFVUCQAD3IvnXdyL5111eAsAAQQhAAAABCEAAACuBmmFqn8V2tn8MeGTVzBc+cKrvVBLBwh2eJq7FAAAAAgAAABQSwECHgMUAAkACABkVIRPIghonKYFAACDDwAAIAAYAAAAAAABAAAApIEAAAAAYTVjZTM0NTQ1YzViMDZlOThmNjBjOTNjMGRiMTRiZTVVVAUAA9yL5111eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAABkVIRPdniauxQAAAAIAAAALQAYAAAAAAABAAAApIEQBgAAYTVjZTM0NTQ1YzViMDZlOThmNjBjOTNjMGRiMTRiZTUuZmlsZW5hbWUudHh0VVQFAAPci+dddXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAJsGAAAAAA==",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "malware-sample",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": true,
|
||
|
"type": "malware-sample",
|
||
|
"uuid": "5de78bdd-2c08-4501-a1a3-4117950d210f",
|
||
|
"value": "workfile|a5ce34545c5b06e98f60c93c0db14be5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "5de78bdd-f964-40fb-b039-4e84950d210f",
|
||
|
"value": "workfile"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "5de78bdd-1ab0-4093-bcef-4583950d210f",
|
||
|
"value": "a5ce34545c5b06e98f60c93c0db14be5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "5de78bdd-41ac-4f46-b05e-4590950d210f",
|
||
|
"value": "015fb194428fe47cdf3a2c8eefc5b6518ed1a135"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5de78bdd-2c74-4a69-b64c-4431950d210f",
|
||
|
"value": "e4c356b41fe198da888eb9e4964b92883384d3a7070c51d622911f2b7b5947a9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1575455709",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "5de78bdd-7cf4-478e-a7fc-460b950d210f",
|
||
|
"value": "3971"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Exfiltration",
|
||
|
"deleted": false,
|
||
|
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
|
||
|
"meta-category": "network",
|
||
|
"name": "url",
|
||
|
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1575455971",
|
||
|
"uuid": "5de78ce3-9f74-4f4b-a05b-4b15950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "url",
|
||
|
"timestamp": "1575455971",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5de78ce3-6280-4ec6-8ab9-4df1950d210f",
|
||
|
"value": "http://68.183.212.246:32258"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "host",
|
||
|
"timestamp": "1575455971",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "5de78ce3-ca98-4ddd-a924-4495950d210f",
|
||
|
"value": "68.183.212.246"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "port",
|
||
|
"timestamp": "1575455971",
|
||
|
"to_ids": false,
|
||
|
"type": "port",
|
||
|
"uuid": "5de78ce3-2c68-4eb3-b652-4f10950d210f",
|
||
|
"value": "32258"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|