misp-circl-feed/feeds/circl/misp/5b0d929e-4c6c-438a-9fe5-78130acd0835.json

2458 lines
313 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2018-05-29",
"extends_uuid": "",
"info": "US-CERT Alert (TA18-149A) HIDDEN COBRA \u2013 Joanap Backdoor Trojan and Brambul Server Message Block Worm",
"publish_timestamp": "1607838920",
"published": true,
"threat_level_id": "3",
"timestamp": "1621849752",
"uuid": "5b0d929e-4c6c-438a-9fe5-78130acd0835",
"Orgc": {
"name": "Synovus Financial",
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#13eb00",
"name": "misp-galaxy:threat-actor=\"Lazarus Group\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Remote File Copy (T1105)\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Brute Force (T1110)\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Connection Proxy (T1090)\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses Command-Line Interface (T1059)\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-enterprise-attack-relationship=\"Lazarus Group (G0032) uses System Information Discovery (T1082)\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527616200",
"to_ids": false,
"type": "link",
"uuid": "5b0d92c8-5410-41e7-9207-85ad0acd0835",
"value": "https://www.us-cert.gov/ncas/alerts/TA18-149A"
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-d95c-4309-a433-80480acd0835",
"value": "181.1.253.234",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-38e0-49be-9f24-80480acd0835",
"value": "200.82.62.24",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-75d8-45b1-aa72-80480acd0835",
"value": "81.243.151.226",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1560524441",
"to_ids": false,
"type": "ip-dst",
"uuid": "5b0d9337-0224-4404-99a7-80480acd0835",
"value": "81.247.219.196",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-4098-4d75-bb67-80480acd0835",
"value": "138.204.211.197",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-1318-4bcf-a29a-80480acd0835",
"value": "177.221.11.176",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-c294-4d57-a9ad-80480acd0835",
"value": "177.221.11.233",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-9be0-42e0-bc42-80480acd0835",
"value": "177.41.74.199",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-b234-493d-beae-80480acd0835",
"value": "179.107.219.90",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-9b80-4614-bbdb-80480acd0835",
"value": "187.127.112.60",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-6d9c-4f62-a240-80480acd0835",
"value": "187.127.115.206",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-b05c-4be1-a6d1-80480acd0835",
"value": "189.15.173.106",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-4480-4666-8a00-80480acd0835",
"value": "103.227.174.79",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-d628-44c1-a705-80480acd0835",
"value": "146.88.205.56",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-c6fc-4c04-9992-80480acd0835",
"value": "113.57.34.213",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-e6b0-4cbc-9c37-80480acd0835",
"value": "117.179.224.33",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-2454-4cda-9c1e-80480acd0835",
"value": "181.234.231.152",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-08a8-4809-8dd6-80480acd0835",
"value": "190.60.109.166",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9337-1290-4b7d-a464-80480acd0835",
"value": "196.204.141.76",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-ce2c-4585-811a-80480acd0835",
"value": "196.221.41.109",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-eec4-4b26-b84d-80480acd0835",
"value": "1.186.218.107",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-00f4-4c6f-b2d2-80480acd0835",
"value": "103.71.212.72",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-7894-4918-b5bd-80480acd0835",
"value": "106.51.226.188",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-f3f8-4452-af53-80480acd0835",
"value": "114.79.191.185",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-73c0-4fc7-8c95-80480acd0835",
"value": "117.213.169.79",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-1734-4879-9c8b-80480acd0835",
"value": "117.213.170.132",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b7d0-4eb6-ae4f-80480acd0835",
"value": "117.213.170.252",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-8168-4cfe-939f-80480acd0835",
"value": "117.214.92.199",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0f4c-4500-962b-80480acd0835",
"value": "117.254.85.138",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-ba58-4a8e-9377-80480acd0835",
"value": "123.201.161.60",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-3f40-48cc-8156-80480acd0835",
"value": "157.49.171.35",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b590-470d-9c1b-80480acd0835",
"value": "202.142.71.166",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-38e8-444f-8414-80480acd0835",
"value": "49.206.100.19",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b4b0-4871-9912-80480acd0835",
"value": "49.206.105.206",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-593c-4fef-89b6-80480acd0835",
"value": "59.92.69.202",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-a1b4-4e3b-a2d6-80480acd0835",
"value": "59.92.69.23",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-7cf0-424e-838b-80480acd0835",
"value": "59.92.69.254",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0df4-4cd1-b2f4-80480acd0835",
"value": "59.92.69.51",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-07a8-4eb7-85cc-80480acd0835",
"value": "59.92.70.122",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-d8bc-4753-b44c-80480acd0835",
"value": "59.92.70.162",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-a81c-4b14-9afc-80480acd0835",
"value": "59.92.70.164",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-09dc-443f-bff5-80480acd0835",
"value": "59.95.151.28",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768664",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0158-4c7b-9bf0-80480acd0835",
"value": "59.97.22.192",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b928-41ad-ad33-80480acd0835",
"value": "61.3.239.224",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-2098-4512-a7f7-80480acd0835",
"value": "2.182.31.181",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-55c8-4b52-b833-80480acd0835",
"value": "2.182.31.195",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-fc40-41a0-b8e0-80480acd0835",
"value": "2.182.31.84",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-c924-41ec-8793-80480acd0835",
"value": "2.187.201.47",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-d2b8-48ba-b0e1-80480acd0835",
"value": "82.212.93.217",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b730-4f49-a2f4-80480acd0835",
"value": "110.36.226.146",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-3aa4-4e7f-a649-80480acd0835",
"value": "203.130.24.202",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-2108-40b4-bc19-80480acd0835",
"value": "176.45.234.206",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-9588-473f-a352-80480acd0835",
"value": "176.45.248.239",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0254-492f-8138-80480acd0835",
"value": "176.47.60.110",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-9670-427f-a76e-80480acd0835",
"value": "188.49.198.65",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-1508-4f12-b934-80480acd0835",
"value": "188.54.209.88",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-fd8c-49d6-a9a2-80480acd0835",
"value": "188.54.251.115",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-ea9c-4e4b-b106-80480acd0835",
"value": "5.156.110.212",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-94a0-4e8f-b5d8-80480acd0835",
"value": "5.156.137.47",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-fdc4-4801-8ed2-80480acd0835",
"value": "51.235.186.186",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-fee4-4087-a72e-80480acd0835",
"value": "90.148.206.252",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-87f4-4e40-92cf-80480acd0835",
"value": "95.184.0.49",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-c018-4fd0-a5be-80480acd0835",
"value": "95.218.39.84",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-6e50-46e0-a04f-80480acd0835",
"value": "2.137.162.251",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0e48-4e19-84b4-80480acd0835",
"value": "124.43.35.86",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-bdbc-458d-bb51-80480acd0835",
"value": "124.43.39.105",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-1dec-4336-80be-80480acd0835",
"value": "124.43.41.213",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-17a0-4d0e-8907-80480acd0835",
"value": "124.43.41.48",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-17f0-4978-9b7d-80480acd0835",
"value": "124.43.42.30",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-9ab8-420d-af11-80480acd0835",
"value": "90.236.254.71",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-fa3c-45d2-a179-80480acd0835",
"value": "1.160.139.122",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-528c-4b2a-a4d8-80480acd0835",
"value": "1.169.112.88",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-584c-41fd-b0f9-80480acd0835",
"value": "1.170.194.142",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-4088-46ae-a681-80480acd0835",
"value": "111.253.145.11",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-e874-4c40-9697-80480acd0835",
"value": "111.255.198.92",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-0674-4bb4-a76e-80480acd0835",
"value": "114.26.231.136",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-b6c4-4c87-b717-80480acd0835",
"value": "114.36.15.80",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-daa8-4f9d-ac46-80480acd0835",
"value": "114.36.3.66",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-98b4-4959-8197-80480acd0835",
"value": "114.39.179.133",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-6448-487c-aee8-80480acd0835",
"value": "114.46.75.51",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9338-d794-4960-a71a-80480acd0835",
"value": "122.121.9.203",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9339-3648-4efb-af16-80480acd0835",
"value": "36.229.45.69",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9339-a7e8-4495-b4ed-80480acd0835",
"value": "36.231.179.65",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768663",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9339-0960-4e7b-8ae8-80480acd0835",
"value": "36.231.36.64",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768662",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9339-aa3c-49a2-b910-80480acd0835",
"value": "36.235.81.169",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "According to DHS and FBI analysis, this IP address is compromised infrastructure.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768665",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b0d9339-7c74-49d7-9d6e-80480acd0835",
"value": "36.238.65.99",
"Tag": [
{
"colour": "#2d0048",
"name": "adversary:infrastructure-status=\"compromised\""
},
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Payload delivery",
"comment": "Enriched via the stiximport module",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768544",
"to_ids": true,
"type": "email-src",
"uuid": "5b0d9339-b9bc-4ce2-afda-80480acd0835",
"value": "misswang8107@gmail.com"
},
{
"category": "Payload delivery",
"comment": "Enriched via the stiximport module",
"deleted": false,
"disable_correlation": false,
"timestamp": "1527768544",
"to_ids": true,
"type": "email-src",
"uuid": "5b0d9339-7688-49a4-b486-80480acd0835",
"value": "redhat@gmail.com"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjUNJeLjz9MNCjI1IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDQ0MzU2L08gMjcvRSAyNDgyOS9OIDQvVCA0NDAyMC9IIFsgNDc5IDIwOF0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgICAgDQozOSAwIG9iag08PC9EZWNvZGVQYXJtczw8L0NvbHVtbnMgNC9QcmVkaWN0b3IgMTI+Pi9GaWx0ZXIvRmxhdGVEZWNvZGUvSURbPEQxODRBRTE1OThEM0VEQjU4MUM2MEE2MTE3MDRGRjBDPjxGQzM5OTgzQ0Y1MThCMzQ1QjIxOThDMzBGNkJCRURCOT5dL0luZGV4WzI1IDI1XS9JbmZvIDI0IDAgUi9MZW5ndGggNzYvUHJldiA0NDAyMS9Sb290IDI2IDAgUi9TaXplIDUwL1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3mJiZBBgYGJgmg8kGAOBBMMWIMHsBiJegYjtINkkECsPxKoAsUCKmWeAdDwFEtwtQOL2RwYmRoYVIAMYGIkh/jMe/gEQYAAlIg0UDQplbmRzdHJlYW0NZW5kb2JqDXN0YXJ0eHJlZg0KMA0KJSVFT0YNCiAgICAgICAgDQo0OSAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvSSAxMjgvTCAxMTIvTGVuZ3RoIDEyMS9TIDYzPj5zdHJlYW0NCmjeYmBgYGZgYDJgYGFgENzAwM+AAPwMTEBRFgaOCQwzZnFmCJ5gYJjOICizgIOBoQEmAARcDAyzFgBpHiDmBYtsYeBjYNBU6G1iZtshvaCQ8TX7BGGhEqtjjAvA0twMDLP3AGlGIO4CYqDiVTshfEYbgAADAGbgFVwNCmVuZHN0cmVhbQ1lbmRvYmoNMjYgMCBvYmoNPDwvTWV0YWRhdGEgMTIgMCBSL1BhZ2VMYWJlbHMgMjEgMCBSL1BhZ2VzIDIzIDAgUi9UeXBlL0NhdGFsb2c+Pg1lbmRvYmoNMjcgMCBvYmoNPDwvQ29udGVudHNbMjkgMCBSIDMwIDAgUiAzMSAwIFIgMzIgMCBSIDMzIDAgUiAzNCAwIFIgMzUgMCBSIDM2IDAgUl0vQ3JvcEJveFswIDAgNjEyIDc5Ml0vTWVkaWFCb3hbMCAwIDYxMiA3OTJdL1BhcmVudCAyMyAwIFIvUmVzb3VyY2VzIDQwIDAgUi9Sb3RhdGUgMC9UeXBlL1BhZ2U+Pg1lbmRvYmoNMjggMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDY0L0xlbmd0aCA3NDMvTiA5L1R5cGUvT2JqU3RtPj5zdHJlYW0NCmjepJRbb9owFID/ih+3B2Y7iZ0gVUhAS4e0dqhBayXEQwoeZMoFJa7W/vudY8chsNELk2V8fO7GXxwwwkjACQ8kCTzCZUACn3geLCiFJBAkAg2YORPgGhIuZJ8EEeFhX5KLCzous7KKd8lK4aaWmI6Ru8GAXj3r61gnGg3XMccC1jApCw26+dzDMqADMcAaVpSY3nrOqnIVK72gs8sJnatnTad5slHjJX34/vhLrTDNNOfEbwIGgwWdjsejpFZrAu2Dcgku32fkZ5LVCoQbwmk8bLbxDWFfmEfnLzu1b5eWO2sfDCB2WK9UoUmfCTpOdl9Vutlq+DMYo5fKmnoe53SSJZua+J453GhUPi960otIzw8l8cAbQni0NNZJkqfZy6dhlSbZZ6O5TXJFzb43KrP1zdxoY10pvdrS27LKk8yo7m35EKpPdZKlq2GxyRRhNNYq/0G4H9mzoC+2V6U7XVb0odO2ORT+QehzWPSqWJXrtNjQ+7QYFnXa7idpVevxNqncAfe5kRe8tm9J48E9+IOfHjW2Ma+elOmnbQpSr/W2Xngh3pgboYdo+L5vptWh5LyEkAerlfa7bp7uZERy3ugx1z7CeIBGyrDZoYTeNu5fA6PRo7vafnGH+W2/+BtFfaN1E84DGhfhokPjD9Lyf1GTAlDzhEONybdRe5Oy4ARl0VmQnc2XOOJLfJwvdkQXWh1fjov3zP0d2wHftLDgwHTQtSCBYwse3ArqMUkEhV/HD+W+eRmtfY/VIfyYtdtaK2NVmGjHFSseHwWPb+wujtk+TM5mfmx47YeD+ZCCA6qjPn+FaumoDjpUC4kPKAtbqsMDqudprmpyq36TuzJPig7fxgIGo5/F55PufZD0vwufx3x4zDx7D/Pi9OUY2gVrYTw199LxF9RC2qBuXzWrN98WvG/2JcS3z30M9sV16LsYC/fxCECLlburw9T25rrHNTw6CWu76J7x9Gv+viEMxX8EGABX/lfZDQplbmRzdHJlYW0NZW5kb2JqDTI5IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggNjc2Pj5zdHJlYW0NCkiJjFNNT9wwEL3nV8zRlrre+CNO3NsuW7UgUdQSiUPhEIKzBDYJTQKr/SP9vR1/pPSIInkm9sx7zzNjDvtk/fWaw35KpGZcAK6phkwaVhSQczQCRps0ye+EQwuJkkwWoKViBQhdsFwBF5z5oBvoMUxowwQvIMXPH2l4T8LwukvW5x2H3ZD8wG99NmmoJ2CFzIRBoyRXaDJlYKr7SJjlBcvQiIwhNJOZMSbo2pbJuiwFcCibhAsmIzE6kVYIpgWUXZLibVcsTVMFZZ04R0N5TH6RzcGOM9ySkuaSGbLhxYors7ml9K68cPAqwnPGdcD3XiRIUZsncOA8Yos8YH+jK8U0OaeoguzCz46ynHyhK6w4+e58OLva/gxnG/gDFwP6pOr9+uJWoBmTZBtSKsqZIvXzgzsZfOwIJZUufaQrjpHDU0ALGCG7cm7vc30mbMeqc4g5uX91Gwe4tmPYeEMYYke4tO5gmqq9s9Ynw/YQwIf62UUv+DcUq56TwQeNna8dYglfMO/EXhaGpe/1ypdmxIJdje2+7asDtvdgq8nCAwovyGw/w2V1AmE+gUh5sbQmdr5gRnki70SiTLmhQSIHvzRGGsdDrk/TbLsJNk1j69k+0PLp/06nblR9p70XASVnmfqn3CyIKij/7oqFd5+PWBYyjM8wnSa3lRNH9RHFroKLYOngUy/26s2Ob609fkSkwvJqHUFwSBFkFe/vRJaP7USdSnjCrhls1wrXtqdepuukxnfAUwTBfrvN+tGbvvXxdeX/DoCPxns4MRg64yHOsX9Dbkbd48kILFxzwAgZ2Flvp9cAFVmHJmBUQUvkoThZp4De1gHMNhTftCLNEASE0ymg3Afs+WiD04ft+TFy74J9qWJuF8PiBQJkQ+/grwADAIrNKFQNCmVuZHN0cmVhbQ1lbmRvYmoNMzAgMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCA2MjU+PnN0cmVhbQ0KSIlUVE2P2jAQvfMrfLSljYWdkEB7KkUItlK7KlQ9wB7cEMDaJEaJAfHvO54xgj3Np988P0+yfh0MWaJkOlQFW88GcjhUGVuXwRkqtr4ONnzhmkpkcsRrg6bdoWGrqgRH87MAAMU7CMbcCnD9DQtsyzE3E1pO+GK1FRgy0yJAhPFHtBUTI5nzOY3akeloYs2mZ4opbShibg9nwC4J8IJTK6LTY+BFAr490DGP7dZR+53eXCRapny6jPwkniE6f4UqgLuj6R+IaVuCY1dLgEeaSCf+SMytpHhfR3H1JFd3cYsgbhLU1aTuweHQC4kAo8e8azHVVGS9CFoi+MlgpvNUie1QCvdFEi8QgMSzxYpkHqPMkJlPl1SylLiD2z2m4d0yXsUDAZVRe4uBR/8Tu+qJ21vnHhG5JdGhoA7gQe5AdBma3raCbmSIzY4uUfUoQ0/gfWyJ96DIEZcjtXQPlZ9WOGxued/lILJtd7Y03nUREhYHF7R0zalzjYUog6lAcfnrO0KqVGYTlbPhHVIHyA3vgbjpe1da46sdrkAGy3OkHSJ0f3Xk7E1ja1sRIHwD6Xj0AFQR8DOjxtRI5ipUuHpXsXMPc/7dmMcGHAQvxX66Dr6cgJzoXGYpEHxatb
"deleted": false,
"disable_correlation": false,
"timestamp": "1527770140",
"to_ids": false,
"type": "attachment",
"uuid": "5b0fec1c-4c58-45a4-aa7a-1e000acd0835",
"value": "TA18-194A.pdf"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjUNJeLjz9MNCjY1IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDEzMTg5Ny9PIDY3L0UgNjYzNjcvTiAxNC9UIDEzMTUwMi9IIFsgNDcyIDI0MF0+Pg1lbmRvYmoNICAgICAgICAgICAgICAgDQo3NSAwIG9iag08PC9EZWNvZGVQYXJtczw8L0NvbHVtbnMgNC9QcmVkaWN0b3IgMTI+Pi9GaWx0ZXIvRmxhdGVEZWNvZGUvSURbPENCN0NCQjEyNEYxMzY3REU5MUFEQUZBQzFBNDg5RDE3Pjw3MkY3QTI4NTdEQUU5MTQ1OUREMkMyMjNEODBBRDJCMj5dL0luZGV4WzY1IDIxXS9JbmZvIDY0IDAgUi9MZW5ndGggNjgvUHJldiAxMzE1MDMvUm9vdCA2NiAwIFIvU2l6ZSA4Ni9UeXBlL1hSZWYvV1sxIDIgMV0+PnN0cmVhbQ0KaN5iYmQQYGBiYNoBJBgDgQRDE5BgkQESvI+AhJA/kOBuARImD4CEhwKQCOZgYGJkuABSzMBIDPGfccoPgAADAM32CQUNCmVuZHN0cmVhbQ1lbmRvYmoNc3RhcnR4cmVmDQowDQolJUVPRg0KICAgICAgICANCjg1IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9JIDIyMS9MIDIwNS9MZW5ndGggMTUyL1MgMTY1Pj5zdHJlYW0NCmjeYmBgYGZgYNIEkaxzGQQYEEAAKMbMwMLAsQDEc/jVycfIr8jLKvCOp4x/n8AHbhWOcKD4AR5Wmffbbuduuw3kxOzYWVj06OnR093TxfX0YqDcYzHsHQ0VHfiIjgZ8xiM5igOKGRiaGPgZGPgykhllLjr4XF98PjQQJKrJwPgR5F5GIO4CYh0GJoZlED4jJ0CAAQBpLTmVDQplbmRzdHJlYW0NZW5kb2JqDTY2IDAgb2JqDTw8L01ldGFkYXRhIDQyIDAgUi9QYWdlTGFiZWxzIDU5IDAgUi9QYWdlcyA2MSAwIFIvVHlwZS9DYXRhbG9nPj4NZW5kb2JqDTY3IDAgb2JqDTw8L0NvbnRlbnRzIDY5IDAgUi9Dcm9wQm94WzAgMCA2MTIgNzkyXS9NZWRpYUJveFswIDAgNjEyIDc5Ml0vUGFyZW50IDYyIDAgUi9SZXNvdXJjZXMgNzYgMCBSL1JvdGF0ZSAwL1R5cGUvUGFnZT4+DWVuZG9iag02OCAwIG9iag08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvRmlyc3QgNjQvTGVuZ3RoIDk1Ny9OIDkvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN6clWtv2kgUhv/K+bjVKuu5X6QKKaElQdskqEZtpSgfXDIFd7GNjLOb/Ps9ZwYDCSpFERo8Prc5M35e2xpgYC1wbcE64FaD9SCkBsdAMwmOg7cCnAAuFAcngTtjwSkQzCt4/z4bNsumzVfFLNDN2lA5Bp8Hg+zjU3eZd0VHjsuc0wLJMWrqDm3TqaBl0IZTRWukqaHyKXLSNrM8dHfZ5MMom4anLhtXxTwM77Nvt99/hhmVGVdYOpUZVwLsJncwuMvGw+FFsQ4PYDkZ7zH6dgI/iuU64OQaeJafb27za2B/MZFNn1dh13nWrJJ/MMDc8/Us1B14brJhsboK5XzRgXEm+xCS50xwm42WxXwNUsRtXlw0T3dngjn0aQacKQVe8vvoHBVVuXz+Y9QW9T/LsobLpluUM7gKxb/P71JEuQy4pXQyZLgpqpDdXI5uJ3//2eeltLOYFoPyrg3dbJHdNG1VLKPpa2pWMZaNu2JZzs7r+TIAy/IuVFfAvYuzL3EWz4CyaF9tueqaNvu22a7mPJ4FnSuFHG3mYz1rHsp6nn0t6/N6XW7vR2W77oaLou3PabcSAUi7/VRsIrgQWf74vaOmpu1jiN1tW8TSD91ifUenK7kGtvlZRf/CyziSTSDeNHAPoJ05aVB8X1MrpBvpN9KBURKMwCu2q1EWWqEduTWoGCkIN6OxgvQIMydIwHiesujq0c8sqAgu1fMMr1hfe+rN7dZk8T92Y0ELma54L70AbXzMEJ5Ep5F9gap0WqconFMkngx2pSVeESXt0MtwJ4rORXOBXfD7I4Ab+1vAOfaxARxP2/njgF+Hh/KxekG4PCB8Mvz0GqqU90bEne0J5/wo4crLA8J/3cybEHf8FeJWnYg44SjxRdrjafHNZrkFwdUW9i26CF4/VMT0ROQ3Ofs2Flcx+EUgbDVWMwSZxDkjMQgcmIXiIMQMdqM8os8QdU1gI4h4T1eSgMauFYnGYw36rNDc4Erkk8SCim8Bgn8jAOoHxaRMEpUWCuWOc45ngasLpePQMs2dZdGuhU/xOJfoUxrzBNrx9aCoGxSOovNBv8Ja8fwY23tpnPKT8amkFwXK5YQMa+X+/IX8UD578uMMgd7Tn+n1p/b0pw1+YCQ+GYHRlGJfCHBaVmENN+E/+NxURf1uJ7ToQUe0T/Lr6ZvU9QU/3kc1RZt4KarDhd+mJPlKSdydqKRfPkvkL/l7+n43Xj1ZIbYUGM63Nin7J+6c30Sxg0iv1HHS5CGXfQ87H1qQqP8FGAAIFpSTDQplbmRzdHJlYW0NZW5kb2JqDTY5IDAgb2JqDTw8L0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMzIyNz4+c3RyZWFtDQpo3qRZS3PbRhK+81dM7WmwZcIYvJHTSpa89padSixW+WDvAQSGEmIQYABQiv79ft09AClZcbYqcUoczKOn3/01YNTt6vW/b4y6HVdR6ptchcbPcpVEhZ+HKotzP1GDXe1Wv6+MatQqDv0wVkmQ+AF2BYVfxCr005g2fVbdyk/THDR/tG23+vUptTALfBOetmUvEntx1xmtJPKTXMVp7JtUxUXup8pEfpjOxF6/GVNVjcovgiTP8RPhP/wkaZ6qsep+SOC7e6IMP3/jmhfPf39LWPhh+HeueZEA3ROQYmPWZUbGViZgNZvMD5yZLjer15tNqIza7FYm8EMV4B8P4iz2C7hH7Geh2uzB8+3KDwKDrRUPcrV5WOnNh19+Up/fvd9ce5vfVtebp3aPAhhYFQVYi2I/CGfZfl9hLssyvo5WYJXlgKr2q9fv90Zd9ZDiiRxC70U5XuI+SkhDjvlnrBLVdWz8nJSbJD7kuiK5QBICBiTcF/2zt878TPeen+ip2TVVOTV95/138x/SWyx6QwDJzTxIUj9OVZJlvonpalJVQiTXGCVCduOl+s4zfqibEQIcPDCr+2FSeDwM/X1T84zF31zX3hriavWPcuRZBZ5wjsf/UMyLQeBFUQ4WIAPdEyTOSrFcuOsH1XReAnIY7lmKslWH43DoRzsKEeNHeRAJEaIxWzpyRJRHmlinfqQ7D1Lq9tFXmztL81f2UA7T3naT6ndYBL/v+r1ty652LCZ+nCfFQl38iHiFtpj8ja2O4DDWQzM9qq/66t3NV0/VvR1V108nvSTaqrJ7ZKpr+HWi1sY3SVzMws98x07bD+UwlN3UgFC/I2ZxWn1ruppJEIGT3sJZ5uwk82Bvy6Fuulu6liaablEiRDVaVX03lU1na1p9aKa7phPNXGE90+88bLohzcVatBFGvgmS9OziaFZHFMrNi+C2q/thtGx2YqBiG2R6v7dD1cCKtADt1Mdq4jFsPdrhXnY1lX3lVAUnoTufaUtE5psjjujB7uxguwrSNJ2CLKOieEEcmPzkHbOCtse2tRM24lbyj+nODg/NaH251J3CnWx9Z/sfxkPdsx/kei/+33FY7EuoMtfDt6dBQTGNkPYyuMXGWxt97bMOrlyAVF6IlbaXpyN24NRgVXMWS6TktmFL7ZsJvxR5IB9pCUMRJcR6mMQnB170Fs++ctMfh8qyixLDjyCVyBVHui6F4zK/GIdwCoNVJCP1cGe7JUjCRckntyB153IHXI91M/ufquDcDR9GwkmLs6NL+Lr4gjvtm67Zw2PEVl0vNkJqNSbMzh0Dx1BHnHypWZKIxeWFHuXHllB7obctfnLINjTjN9aieOEO1/HKeGSdulOvyKtKETfyo6QITy
"deleted": false,
"disable_correlation": false,
"timestamp": "1527770140",
"to_ids": false,
"type": "attachment",
"uuid": "5b0fec1c-4e20-4ada-a185-1e000acd0835",
"value": "MAR-10135536-3_WHITE.pdf"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1527768832",
"uuid": "5b0fe700-85cc-4c01-9c1f-1e220acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1527768972",
"to_ids": true,
"type": "md5",
"uuid": "5b0fe700-1158-4bee-8dd1-1e220acd0835",
"value": "4613f51087f01715bf9132c704aea2c2",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00193e",
"name": "ms-caro-malware-full:malware-type=\"TrojanProxy\""
},
{
"colour": "#001739",
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1527768832",
"to_ids": false,
"type": "text",
"uuid": "5b0fe700-42f4-43c4-8508-1e220acd0835",
"value": "According to DHS and FBI analysis, this Dynamic Link Library (DLL) is a Remote Access Tool (RAT) capable of providing an array of remote command and control capabilities. It has the ability to exfiltrate data, drop and run secondary payloads, and provide proxy capabilities on a compromised Windows device. The malware binds and listens on port 443 for incoming connections from a remote operator."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1527768972",
"to_ids": true,
"type": "sha256",
"uuid": "5b0fe700-40d4-4114-8ab8-1e220acd0835",
"value": "a1c483b0ee740291b91b11e18dd05f0a460127acfc19d47b446d11cd0e26d717",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00193e",
"name": "ms-caro-malware-full:malware-type=\"TrojanProxy\""
},
{
"colour": "#001739",
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1527768972",
"to_ids": true,
"type": "sha1",
"uuid": "5b0fe700-5960-4519-9739-1e220acd0835",
"value": "6b1ddf0e63e04146d68cd33b0e18e668b29035c4",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00193e",
"name": "ms-caro-malware-full:malware-type=\"TrojanProxy\""
},
{
"colour": "#001739",
"name": "ms-caro-malware-full:malware-type=\"RemoteAccess\""
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1527768832",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b0fe700-4ae0-4bcb-b32e-1e220acd0835",
"value": "768:qtT2AxNtcgpqLepcy2y6/chYdP8KuSFM+Cs5CBaho9S4AJKqBz8MZdVsrQVBnVGa:qwONtBqL1dDMrs5CN9S 4A3HOYBnVL"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1527768832",
"to_ids": false,
"type": "text",
"uuid": "5b0fe701-2258-4e14-bbcb-1e220acd0835",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1527769079",
"uuid": "5b0fe7f7-ac3c-46e4-8257-20350acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1527769467",
"to_ids": true,
"type": "md5",
"uuid": "5b0fe7f7-22f0-48f4-99b6-20350acd0835",
"value": "298775b04a166ff4b8fbd3609e716945",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00a7cc",
"name": "veris:action:malware:vector=\"Network propagation\""
},
{
"colour": "#77d500",
"name": "malware_classification:payload-classification=\"dropper\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1527769079",
"to_ids": false,
"type": "text",
"uuid": "5b0fe7f7-82a4-4a9c-80e1-20350acd0835",
"value": "According to DHS and FBI analysis, this is a malicious Portable Executable 32-bit (PE32) file designed to scan the local network and the internet for machines that are accessible and have open Server Message Block (SMB) ports. Once the malware gains access to a remote machine it will deliver a malicious payload."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1527769467",
"to_ids": true,
"type": "sha256",
"uuid": "5b0fe7f7-53b8-4c85-82c3-20350acd0835",
"value": "fe7d35d19af5f5ae2939457a06868754b8bdd022e1ff5bdbe4e7c135c48f9a16",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00a7cc",
"name": "veris:action:malware:vector=\"Network propagation\""
},
{
"colour": "#77d500",
"name": "malware_classification:payload-classification=\"dropper\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1527769467",
"to_ids": true,
"type": "sha1",
"uuid": "5b0fe7f7-5430-4199-8159-20350acd0835",
"value": "2e0f666831f64d7383a11b444e2c16b38231f481",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00a7cc",
"name": "veris:action:malware:vector=\"Network propagation\""
},
{
"colour": "#77d500",
"name": "malware_classification:payload-classification=\"dropper\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1527769079",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b0fe7f7-07f8-471a-a697-20350acd0835",
"value": "768:i+cDn8nAQ5Toz4c0+u5jrdXs+W+aCNkiC8xeC3cs:i+M8ndTozOn5jxF/US0s"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1527769079",
"to_ids": false,
"type": "text",
"uuid": "5b0fe7f7-0440-46dd-86a1-20350acd0835",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1527769345",
"uuid": "5b0fe901-12a8-4b77-9134-1f380acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1527769467",
"to_ids": true,
"type": "md5",
"uuid": "5b0fe901-99a0-4918-a7c0-1f380acd0835",
"value": "e86c2f4fc88918246bf697b6a404c3ea",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00abd0",
"name": "veris:action:malware:variety=\"Brute force\""
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1527769345",
"to_ids": false,
"type": "text",
"uuid": "5b0fe901-3d3c-49c9-9bca-1f380acd0835",
"value": "According to DHS and FBI analysis, this file is a malicious 32-bit Windows Dynamic Link Library (DLL), dropped and loaded by [MD5: 4731CBAEE7ACA37B596E38690160A749]. When executed, the DLL attempts to contact all of the Internet Protocol (IP) addresses on the victim's local subnet. If the file is able to connect to these IPs, it will attempt to gain unauthorized access via the Server Message Block (SMB) protocol on port 445 utilizing a brute-force password attack."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1527769467",
"to_ids": true,
"type": "sha256",
"uuid": "5b0fe901-e2d0-4dc9-beb8-1f380acd0835",
"value": "ea46ed5aed900cd9f01156a1cd446cbb3e10191f9f980e9f710ea1c20440c781",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00abd0",
"name": "veris:action:malware:variety=\"Brute force\""
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1527769467",
"to_ids": true,
"type": "sha1",
"uuid": "5b0fe901-9930-48e1-8e58-1f380acd0835",
"value": "9b7609349a4b9128b9db8f11ac1c77728258862c",
"Tag": [
{
"colour": "#c5008e",
"name": "kill-chain:Installation"
},
{
"colour": "#00abd0",
"name": "veris:action:malware:variety=\"Brute force\""
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Scan network\""
},
{
"colour": "#000000",
"name": "SMB"
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1527769345",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b0fe901-029c-4013-8f6f-1f380acd0835",
"value": "768:9eY/pEwKWcwP/bY4XxlGLup3Tq1LpDLJkDcw3f9zj:MitnU4viJJDw3Z"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1527769345",
"to_ids": false,
"type": "text",
"uuid": "5b0fe901-99f8-4d66-897d-1f380acd0835",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "11",
"timestamp": "1527769546",
"uuid": "5b0fe9ca-0874-4425-9665-1e1d0acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1527769652",
"to_ids": true,
"type": "md5",
"uuid": "5b0fe9ca-4dc8-4f01-ab6f-1e1d0acd0835",
"value": "4731cbaee7aca37b596e38690160a749",
"Tag": [
{
"colour": "#8a0064",
"name": "kill-chain:Delivery"
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1527769546",
"to_ids": false,
"type": "text",
"uuid": "5b0fe9ca-e964-4a9c-b000-1e1d0acd0835",
"value": "According to DHS and FBI analysis, this is a Portable Executable 32-bit (PE32) file that can be used to drop and install other malware on the compromised host."
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1527769650",
"to_ids": true,
"type": "sha256",
"uuid": "5b0fe9ca-3a34-426d-898d-1e1d0acd0835",
"value": "077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885",
"Tag": [
{
"colour": "#8a0064",
"name": "kill-chain:Delivery"
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1527769648",
"to_ids": true,
"type": "sha1",
"uuid": "5b0fe9ca-5a74-4da3-8893-1e1d0acd0835",
"value": "80fac6361184a3e24b33f6acb8688a6b7276b0f2",
"Tag": [
{
"colour": "#8a0064",
"name": "kill-chain:Delivery"
},
{
"colour": "#00193d",
"name": "ms-caro-malware-full:malware-type=\"TrojanDropper\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1527769546",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b0fe9ca-c1ec-4442-9c15-1e1d0acd0835",
"value": "6144:M6atGpHk4NdSksOBbNUyb4ajb1TWiYW9ebYwtJEGLYMYR4:Msdk4NdSksOv"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1527769546",
"to_ids": false,
"type": "text",
"uuid": "5b0fe9ca-bce0-4352-bea2-1e1d0acd0835",
"value": "Malicious"
}
]
}
]
}
}