2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2018-07-31" ,
"extends_uuid" : "" ,
"info" : "OSINT - Malware Analysis Report (AR18-221A) MAR-10135536-17 \u00e2\u20ac\u201c North Korean Trojan: KEYMARBLE- MAR-10135536.r17.v1" ,
"publish_timestamp" : "1533997509" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1533997473" ,
"uuid" : "5b6edeb7-5088-4fe9-89ab-40e902de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0029ff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "estimative-language:confidence-in-analytic-judgment=\"high\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:tool=\"KEYMARBLE\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#13eb00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Lazarus Group\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A A c g A A A J Y C A Y A A A D m L 3 Y 0 A A A W c W l D Q 1 B J Q 0 M g U H J v Z m l s Z Q A A e J y V m A V U V F + 3 w M + d Z I Y Z a u g e Y u j u 7 u 4 O E R i G 7 i 4 D R E U F p a Q k F F B B R E E p E V T C A J F G Q h E l R E R R M R A E l T f 6 f + L 7 v v W + 9 d Y 7 a 905 v 7 v n 3 H 33 v f v s s 8 + + A L D 3 k S M j Q 2 E M A I S F x 0 b b m + j z u 7 q 586 M X A B z A A B L Q A Q k y J S Z S z 9 b W E v z H 9 n U S Q L / 6 c a l f u v 7 z u P + 1 M f r 6 x V A A g G y p 7 O M b Q w m j c j P 1 G K B E R s c C A E + l y g U T Y i N / 8 Q U q M 0 d T D a R y 2 y 8 O + I c H f r H P P z z 3e4 y j v Q G V v w B A g y O T o w M A w P 26 F 388 J Y C q B 8 c P A I o p 3 D c o H A A m R S p r U w L J v g C w U / 8 D k m F h E b + 4 g s q i P v 9 D T 8 C / 6 P T Z 1 U k m B + z y P 8 / y u 9 E Y B s V E h p K T / p + v 4 / 9 u Y a F x f + 4 h Q D 1 w g d G m 9 t R e i P r O L o V E W O x y u I + 1 z R 8 O 8 v 0 9 / j c H x p k 6 / W F K j I H 7 H / Y l G 1 r 84 b g Q J 70 / T I 7 + e 21 Q r J n j H 46 O s N / V 7 x d j 5 L C r 38 / M c t e G U O t d 9 g 8 y N v v D y Y G O L n 84 P s j Z + g / H h D h Y / B 1 j s C u P j r P f t d k / 2 n j 3 G c N i / t p G I f + 1 I T b Q 0 f S v b a 67 N v j 6 G R r t y s O d d s d H x u r v 6 o w M t d 0 d 7 x d q s i u P i X f Y v T a W O s H + c D D Z 3 P a v H t v d 9 w M s g R E w B P z A A A S B c O A H w g C Z e m Z I P Y s B k S C U e p Y U 65 f 4 a 84 B g 4 j I p O i g g M B Y f j 1 q B P n x m 4 V T p C X 55 W X l V A H 4 F Y //uPuz/e84g1iH/8qiqNerqwEAK/8rI0sA0C5JDYMrf2VCygDQlgLQsUiJi47/R4b49YMEWEAPmAEH4AWCQBRIAXmgDDSALtV6c2ADHIEb8AQUEEi1PxokgP3gEEgHmSAHFIAScA6cB5fAVdAIboBboBs8AI/ACJgAM2AOLIG3YA18BdsQBKEhPESAOCA+SBiSgOQhVUgbMoIsIXvIDfKGAqBwKA7aDx2GMqE8qASqhGqh69BNqBt6CI1CT6B5aAX6BG3B4DAcjBnGAyPBZGCqMD2YBcwRthcWAIuCJcOOwLJgxbAq2BVYK6wb9gg2AZuDvYWtwwGcFs4KJ8Kl4KpwA7gN3B3uD4+GH4RnwAvhVfB6eDu8Fz4On4Ovwr8hUAgCgh8hhdBAmCKcEBREFOIg4iSiBHEJ0Yq4hxhHzCPWED+ReCQ3UgKpjjRDuiIDkAnIdGQhshrZgryPnEAuIb+iUChWlAhKBWWKckMFo/ahTqLKUQ2oLtQoahG1jkajOdASaC20DZqMjkWno8+gr6A70WPoJfQmDS0NH408jTGNO004TRpNIc1lmjs0YzTLNNsYBowwRh1jg/HFJGGyMRcw7ZhhzBJmG8uIFcFqYR2xwdhD2GJsPfY+9hn2My0trQCtGq0dbRBtKm0x7TXaPtp52m84Jpw4zgDngYvDZeFqcF24J7jPeDyehNfFu+Nj8Vn4Wvxd/HP8Jh2BTprOjM6XLoWulK6VbozuPT2GXphej96TPpm+kL6Jfph+lQHDQGIwYCAzHGQoZbjJMMWwzkhglGO0YQxjPMl4mfEh42smNBOJyYjJl+kI03mmu0yLBDhBkGBAoBAOEy4Q7hOWmFHMIsxmzMHMmcxXmYeY11iYWBRZnFkSWUpZbrPMscJZSaxmrKGs2ayNrJOsW2w8bHpsfmwn2OrZxtg22LnYddn92DPYG9gn2Lc4+DmMOEI4cjlucMxyIjjFOe04EzjPct7nXOVi5tLgonBlcDVyPeWGcYtz23Pv4z7PPcC9zsPLY8ITyXOG5y7PKi8rry5vMG8+7x3eFT4CnzZfEF8+XyffG34Wfj3+UP5i/nv8a0RuoikxjlhJHCJuC4gIOAmkCTQIzApiBVUF/QXzBXsE14T4hKyE9gvVCT0VxgirCgcKFwn3Cm+QREgupGOkG6TXIuwiZiLJInUiz0TxojqiUaJVoo/FUGKqYiFi5WIj4jBxJfFA8VLxYQmYhLJEkES5xKgkUlJNMlyySnJKCielJxUvVSc1L80qbSmdJn1D+r2MkIy7TK5Mr8xPWSXZUNkLsjNyTHLmcmly7XKf5MXlKfKl8o8V8ArGCikKbQofFSUU/RTPKk4rEZSslI4p9Sj9UFZRjlauV15REVLxVilTmVJlVrVVPanap4ZU01dLUbul9k1dWT1WvVH9g4aURojGZY3XmiKafpoXNBe1BLTIWpVac9r82t7aFdpzOkQdsk6VzoKuoK6vbrXusp6YXrDeFb33+rL60fot+hsG6gYHDLoM4YYmhhmGQ0ZMRk5GJUbPjQWMA4zrjNdMlEz2mXSZIk0tTHNNp8x4zChmtWZr5irmB8zvWeAsHCxKLBYsxS2jLdutYFbmVqetnlkLW4db37ABNmY2p21mbUVso2w77FB2tnaldq/s5ez32/c6EBy8HC47fHXUd8x2nHESdYpz6nGmd/ZwrnXecDF0yXOZc5VxPeD6yI3TLcitzR3t7uxe7b6+x2hPwZ4lDyWPdI/JvSJ7E/c+9OT0DPW87UXvRfZq8kZ6u3hf9v5OtiFXkdd9zHzKfNYoBpQiyltfXd983xU/Lb88v2V/Lf88/9cBWgGnA1YCdQILA1eDDIJKgj4GmwafC94IsQmpCdkJdQltCKMJ8w67Gc4UHhJ+L4I3IjFiNFIiMj1yLko9qiBqLdoiujoGitkb0xbLTN34DMSJxh2Nm4/Xji+N30xwTmhKZEwMTxxIEk86kbScbJx8cR9iH2Vfz37i/kP75w/oHag8CB30OdiTIphyJGUp1ST10iHsoZBDg2myaXlpXw67HG4/wnMk9cjiUZOjdel06dHpU8c0jp07jjgedHzohMKJMyd+Zvhm9GfKZhZmfj9JOdl/Su5U8amdLP+soWzl7LM5qJzwnMlcndxLeYx5yXmLp61Ot+bz52fkfynwKnhYqFh4rghbFFc0V2xZ3HZG6EzOme8lgSUTpfqlDWXcZSfKNsp9y8fO6p6tP8dzLvPcVkVQxXSlSWVrFamq8DzqfPz5VxecL/ReVL1YW81ZnVn9oya8Zu6S/aV7tSq1tZe5L2fXweri6laueFwZuWp4ta1eqr6ygbUh8xq4FnftzXXv65ONFo09TapN9c3CzWUthJaMVqg1qXXtRuCNuTa3ttGb5jd72jXaWzqkO2puEW+V3ma5nX0He+fInZ3O5M71rsiu1e6A7sUer56Zu653H9+zuzd03+J+3wPjB3d79Xo7+7T6bj1Uf3izX7X/xiPlR60DSgMtg0qDLUPKQ63DKsNtI2oj7aOao3fGdMa6xw3HHzw2e/xownpidNJpcnrKY2pu2nf69ZPQJx+fxj/dnkl9hnyWMcswW/ic+3nVC7EXDXPKc7fnDecHFhwWZhYpi29fxrz8vnTkFf5V4TLfcu1r+de3VoxXRt7sebP0NvLt9mr6O8Z3Ze9F3zd/0P0wsOa6tvQx+uPOp5OfOT7XfFH80rNuu/78a9jX7Y2MTY7NS99Uv/VuuWwtbyd8R38v/iH2o/2nxc9nO2E7O5HkaPLvrQCcesD8/QH4VAMA3g0AwggAWLp/9sv/3eDUzQeM2jtD0tBbWDncEyGGRCM/olbQUzQvMPPYDRwST6KzoI9lqGCcItAya7MkszawLXOIc5K5iriHeZF8Svx+xCyBRsExofckmAidKL0YLXXl+ybxTnJealz6rkyL7AW5HPkDCsGKzkq6yuIqBJXvqktqA+rNGmWah7WCte11tHUl9fj0WQ0YDDFGCKMfxhsma6avzebMpy2GLO9b3bJusrlqe9mu1v6yw1XHBqfrzk0uTa7Nbs3uTXsaPa7vbfBs8Gr0biN3+wxQnvi+8vvivxNIG8QaLBAiEaoUphNuFuEU6ReVEH0qpjq2M246/mMiJok/WWWf9X7KgcSDGSlFqRWHKtPOHS4+kn00PX3fsajj/ifcM6wz9U4qnRLN4s5myqHNxeTRnmbIZy8gFkoUKRZrnTEqsSp1KttTTjkbci62IrUyp6ryfMuF/osvqr9coqnlvixTp3/F6WpAfWLD8WuF16sa65qamttbOl
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533992631" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "7efc00cd-5af3-43af-b69c-847f4bc9abd2" ,
"value" : "Figure 1"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533992632" ,
"to_ids" : false ,
"type" : "port" ,
"uuid" : "bfbbf011-8144-4495-98dd-bbbcf0649f53" ,
"value" : "443"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533992632" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "df0f4d9a-90a4-4abf-a43d-60916a15f563" ,
"value" : "212.143.21.43"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533992633" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "bbd1ad42-db78-4ebd-9957-74ae70de8b4b" ,
"value" : "100.43.153.60"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533992633" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "bd1f34eb-d736-4b59-818f-64179291eccc" ,
"value" : "104.194.160.59"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533996680" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b6eee88-4620-4b7b-8619-62b802de0b81" ,
"value" : "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.r17.v1.WHITE_stix.xml"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533997064" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b6ef008-dcb8-46bf-8395-f5ee02de0b81" ,
"value" : "This Malware Analysis Report (MAR) is the result of analytic efforts between Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. Government partners, DHS and FBI identified Trojan malware variants used by the North Korean government. This malware variant has been identified as KEYMARBLE. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.\r\n\r\nDHS and FBI are distributing this MAR to enable network defense and reduce exposure to North Korean government malicious cyber activity.\r\n\r\nThis MAR includes malware descriptions related to HIDDEN COBRA, suggested response actions and recommended mitigation techniques. Users or administrators should flag activity associated with the malware, report the activity to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation.\r\n\r\nThis malware report contains analysis of one 32-bit Windows executable file, identified as a Remote Access Trojan (RAT). This malware is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data."
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533997144" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5b6ef058-7ff4-456d-a57a-407502de0b81" ,
"value" : "rule rsa_modulus { meta: Author=\"NCCIC trusted 3rd party\" Incident=\"10135536\" Date = \"2018/04/19\" category = \"hidden_cobra\" family = \"n/a\" description = \"n/a\" strings: $n = \"bc9b75a31177587245305cd418b8df78652d1c03e9da0cfc910d6d38ee4191d40\" condition: (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and any of them }"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1533997470" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b6ef19e-08f0-4065-9b61-494f02de0b81" ,
"value" : "https://www.us-cert.gov/ncas/analysis-reports/AR18-221A"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1533992633" ,
"uuid" : "16f97fab-0abd-4e4f-92e8-bdd12f54787e" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1533992634" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "292822ff-8844-4e90-addd-c1fc18be4238" ,
"value" : "704d491c155aad996f16377a35732cb4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1533992634" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "c1b98bca-ab4d-425c-b03f-8432fb37589b" ,
"value" : "d1410d073a6df8979712dd1b6122983f66d5bef8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1533992635" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "4506f84a-d53e-4d89-8d3b-28671e2b2481" ,
"value" : "e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1533992635" ,
"uuid" : "5b649f38-b13f-4f8f-8883-738637a0d947" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1533992635" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "87501f1e-8070-4c40-86e3-cc5e11549b48" ,
"value" : "0.627182"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1533992635" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "901c4607-150d-45e4-82da-aa92cb0f71d4" ,
"value" : "47f6fac41465e01dda5eac297ab250db"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1533992636" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "f904826e-c965-4b92-9469-d54c1c4d8269" ,
"value" : "4096"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1533992636" ,
"uuid" : "ba2275da-03b3-457c-b216-9dfa3bc77834" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1533992636" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "6e7b2cc6-71ae-44d0-87f1-4398cd9f103b" ,
"value" : "30d34a8f4c29d7c2feb0f6e2b102b0a4"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1533992636" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "aeafa205-6148-41e4-9e4c-b72966d32f36" ,
"value" : "6.633409"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1533992636" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7ba5e83a-5400-4b58-9e83-2760aab368a9" ,
"value" : ".text"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1533992636" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "99d04340-7c40-41f7-888c-cb53b9446aab" ,
"value" : "94208"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1533992637" ,
"uuid" : "f7a867e5-1222-4fa2-87d2-9294cd9575b9" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1533992637" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "63f56ca4-a8f2-492d-a257-61494657b7b0" ,
"value" : "77f4a11d375f0f35b64a0c43fab947b8"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1533992637" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "c971ad13-75d9-4782-9283-e6c59125a6ee" ,
"value" : "5.054283"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1533992637" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6297c420-bea6-453b-8d20-630820579075" ,
"value" : ".rdata"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1533992637" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "37b0366d-fb15-4803-90b5-76f45a7827b2" ,
"value" : "8192"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a section of a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe-section" ,
"template_uuid" : "198a17d2-a135-4b25-9a32-5aa4e632014a" ,
"template_version" : "2" ,
"timestamp" : "1533992637" ,
"uuid" : "47fa919a-9263-4d70-9c4c-7ceab62ae483" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1533992637" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "94e7e585-a25c-4a6e-9760-5818268ce552" ,
"value" : "d4364f6d2f55a37f0036e9e0dc2c6a2b"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "entropy" ,
"timestamp" : "1533992638" ,
"to_ids" : false ,
"type" : "float" ,
"uuid" : "30a5d30a-a4ff-46eb-989e-79aadec715f7" ,
"value" : "4.41698"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "name" ,
"timestamp" : "1533992638" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f8282f7e-dcfb-4c0c-b93d-3cd1e2df6048" ,
"value" : ".data"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1533992638" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "f44bb8a1-0fee-45fc-b7f5-5d710418e703" ,
"value" : "20480"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a Portable Executable" ,
"meta-category" : "file" ,
"name" : "pe" ,
"template_uuid" : "cf7adecc-d4f0-4e88-9d90-f978ee151a07" ,
"template_version" : "3" ,
"timestamp" : "1533992641" ,
"uuid" : "493ad67c-c54a-406b-9c6b-270c30b4bf77" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "493ad67c-c54a-406b-9c6b-270c30b4bf77" ,
"referenced_uuid" : "5b649f38-b13f-4f8f-8883-738637a0d947" ,
"relationship_type" : "header-of" ,
"timestamp" : "1533992641" ,
"uuid" : "5b6edec1-b5ec-4cb0-afac-427702de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "493ad67c-c54a-406b-9c6b-270c30b4bf77" ,
"referenced_uuid" : "ba2275da-03b3-457c-b216-9dfa3bc77834" ,
"relationship_type" : "included-in" ,
"timestamp" : "1533992641" ,
"uuid" : "5b6edec1-b540-43df-be7a-420d02de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "493ad67c-c54a-406b-9c6b-270c30b4bf77" ,
"referenced_uuid" : "f7a867e5-1222-4fa2-87d2-9294cd9575b9" ,
"relationship_type" : "included-in" ,
"timestamp" : "1533992642" ,
"uuid" : "5b6edec2-3e5c-4b7b-887a-4d9d02de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "493ad67c-c54a-406b-9c6b-270c30b4bf77" ,
"referenced_uuid" : "47fa919a-9263-4d70-9c4c-7ceab62ae483" ,
"relationship_type" : "included-in" ,
"timestamp" : "1533992642" ,
"uuid" : "5b6edec2-56f8-41f8-9fb6-4dbe02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "internal-filename" ,
"timestamp" : "1533992638" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "435929fc-94e7-4e1a-9c03-8587f5c068c2" ,
"value" : "704d491c155aad996f16377a35732cb4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "original-filename" ,
"timestamp" : "1533992638" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "8612afc4-f7e6-4f9e-b6cf-25915b52bbbb" ,
"value" : "704d491c155aad996f16377a35732cb4"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "number-sections" ,
"timestamp" : "1533992638" ,
"to_ids" : false ,
"type" : "counter" ,
"uuid" : "d82f3787-dc51-40db-88c7-00f214fe75ca" ,
"value" : "4"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1533997269" ,
"uuid" : "9ea335b7-1fd3-480c-9291-68d0adba0ee4" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1533997269" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "49c46869-358b-4022-af6e-2e868878d88f" ,
"value" : "2018-08-10T21:54:59"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1533997269" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "2d41d2f3-9296-4a9c-8554-e2ecaa9835e4" ,
"value" : "https://www.virustotal.com/file/e23900b00ffd67cd8dfa3283d9ced691566df6d63d1d46c95b22569b49011f09/analysis/1533938099/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1533997270" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "41c8f6e7-7be4-46ff-8c5b-15a3548be032" ,
"value" : "52/66"
}
]
}
]
}
}