2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2018-03-12" ,
"extends_uuid" : "" ,
"info" : "OSINT - Sigma Ransomware Being Distributed Using Fake Craigslist Malspam" ,
"publish_timestamp" : "1536755880" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1536755790" ,
"uuid" : "5b9123c0-1480-4e09-877e-4783950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#2c4f00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "malware_classification:malware-category=\"Ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:ransomware=\"Sigma Ransomware\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Link - T1192\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"User Execution - T1204\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#026900" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "monarc-threat:unauthorised-actions=\"corruption-of-data\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#039900" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "monarc-threat:compromise-of-information=\"malware-infection\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1536329213" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b912411-f738-46fc-b27c-4ada950d210f" ,
"value" : "Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer." ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1536329222" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5b912433-50b0-4e96-8d7a-44b1950d210f" ,
"value" : "https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1536240806" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5b912ca6-7264-48c8-afca-40e4950d210f" ,
"value" : "http://185.121.139.229/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1536326656" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927c00-c9c8-4780-84da-abc4950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\taskwgr.exe"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536240542" ,
"uuid" : "5b912b9e-67d4-45ad-b17d-4020950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1536240542" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5b912b9e-a4d4-4f19-a85a-4b45950d210f" ,
"value" : "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536240546" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b912ba2-604c-4c25-b80f-4c2c950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536755335" ,
"uuid" : "af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"referenced_uuid" : "6241958e-2b1b-4ccf-8aa5-0aee9e179e50" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1536302901" ,
"uuid" : "5b921f35-0d6c-4a42-b336-495202de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "af63c140-7e55-4ae2-a261-9f126f0195ab" ,
"referenced_uuid" : "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1536755345" ,
"uuid" : "5b990691-7064-4bee-bcb8-494c02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1536302885" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1badb4a6-67f0-408a-9ba2-f60f41bb913c" ,
"value" : "9afa3302527608a30408958bc48019fc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1536302888" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "3f8e1d75-74db-40bd-a845-6289bdb3dc91" ,
"value" : "0d34add7d61e26583dc54e7b89b6d4056d6bf201"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1536302891" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2d4820de-1980-4c31-a0ff-8c0b43a9936d" ,
"value" : "b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1536302893" ,
"uuid" : "6241958e-2b1b-4ccf-8aa5-0aee9e179e50" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1536302893" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "8d5b54cd-1dfc-435b-8e19-cc4eda5b2288" ,
"value" : "2018-08-28T00:23:39"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1536302896" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "18055e03-5add-4a61-9465-9afc972b1cb3" ,
"value" : "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1536302898" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e911d120-fdf4-4110-8272-ddb11eedd9ec" ,
"value" : "45/67"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536325764" ,
"uuid" : "5b927884-8d5c-4a6c-af30-4daa950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536325764" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927884-8b74-453b-ae0f-439b950d210f" ,
"value" : "ReadMe.txt"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536325764" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927884-63d4-43d8-b2c8-4c68950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Registry key object describing a Windows registry key with value and last-modified timestamp" ,
"meta-category" : "file" ,
"name" : "registry-key" ,
"template_uuid" : "8b3228ad-6d82-4fe6-b2ae-05426308f1d5" ,
"template_version" : "4" ,
"timestamp" : "1536326106" ,
"uuid" : "5b9279c2-40a4-4823-840a-4c03950d210f" ,
"Attribute" : [
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "key" ,
"timestamp" : "1536326106" ,
"to_ids" : true ,
"type" : "regkey" ,
"uuid" : "5b9279c2-6a44-4133-bdbf-45ae950d210f" ,
"value" : "\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "root-keys" ,
"timestamp" : "1536326106" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9279c3-b8ec-445c-9f70-4c8b950d210f" ,
"value" : "HKCU"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "data-type" ,
"timestamp" : "1536326106" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9279c3-c040-4ea5-bfe7-4955950d210f" ,
"value" : "REG_NONE"
} ,
{
"category" : "Persistence mechanism" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "name" ,
"timestamp" : "1536326692" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9279dc-e050-4a20-ac5e-adb4950d210f" ,
"value" : "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536326853" ,
"uuid" : "5b927cc5-d5ac-46df-ace4-4cf8950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536326853" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927cc5-28e4-4d21-8166-447d950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536326855" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927cc7-1e4c-44bc-94ff-4ee8950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536326952" ,
"uuid" : "5b927d28-edcc-445d-869b-42ae950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536326953" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927d29-a424-46ab-879c-4609950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Data\\Tor\\geoip6"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536326953" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927d29-1040-4836-878b-420c950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536326971" ,
"uuid" : "5b927d3b-9628-4e2f-83b3-4cb8950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536326971" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927d3b-e228-4ecc-b169-4369950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\test1.bmp"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536326973" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927d3d-8404-433c-9b99-4c2d950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536326986" ,
"uuid" : "5b927d4a-5334-448b-84e9-4545950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536326987" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927d4b-39a8-4fc7-a4b7-4a10950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libeay32.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536326988" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927d4c-a078-414c-8f77-4b37950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327388" ,
"uuid" : "5b927edc-e5a4-47e1-86a6-4a0f950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327388" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927edc-12c8-4b11-bc21-4428950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_core-2-0-5.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327389" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927edd-56fc-4e14-8074-48f3950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327431" ,
"uuid" : "5b927f07-0ebc-45ea-9a4c-4791950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327432" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f08-3ef8-43e9-9cbf-445c950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\tor\\cached-certs"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327433" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f09-3b80-48dc-9dad-49d2950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327449" ,
"uuid" : "5b927f19-af00-4e57-bc93-49e9950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327449" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f19-4a0c-4abe-b57d-4727950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdesc-consensus"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327449" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f19-d26c-48fd-9d16-45c8950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327501" ,
"uuid" : "5b927f4d-5914-4be0-bc7e-4da1950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327501" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f4d-6a90-4640-9dc3-452b950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libssp-0.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327504" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f50-f734-4110-bc51-4193950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327518" ,
"uuid" : "5b927f5e-50ac-4596-b3cb-474b950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327518" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f5e-1f80-41ab-a84f-4832950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\tor-gencert.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327521" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f61-2d78-4789-9d34-4ea6950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327531" ,
"uuid" : "5b927f6b-0430-4a52-b692-4dba950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327531" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f6b-8f2c-4ee2-987d-436c950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\svchost.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327532" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f6c-0670-40ab-a060-4653950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327548" ,
"uuid" : "5b927f7c-32c8-4e30-b9d5-421f950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327548" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927f7c-13a0-4be5-a59e-4b2f950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\zlib1.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327550" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927f7e-c258-4aa9-ba33-4c57950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327662" ,
"uuid" : "5b927fee-1590-49f2-a2f6-44ca950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327662" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b927fee-413c-4578-b4f7-4de2950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\tor\\cached-microdescs.new"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327665" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b927ff1-1924-4851-b7be-4693950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327834" ,
"uuid" : "5b92809a-b468-47e6-a7c7-47c9950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327835" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b92809b-1a04-4ceb-be76-42b9950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent-2-0-5.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327837" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b92809d-168c-47c1-852f-47b1950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327849" ,
"uuid" : "5b9280aa-969c-4c3e-ad03-4011950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327850" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280aa-23a0-4033-9e66-4ede950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\ssleay32.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327850" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280aa-5258-44fb-a115-4a6a950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327865" ,
"uuid" : "5b9280b9-be58-4c21-a4d2-49ca950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327865" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280b9-fb64-4f19-9d04-493d950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\tor\\state"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327866" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280ba-fc78-464f-aaad-4a8e950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327876" ,
"uuid" : "5b9280c4-17b4-4114-8017-44e0950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327876" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280c4-4200-4f03-a557-4997950d210f" ,
"value" : "%UserProfile%\\Desktop\\ReadMe.html"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327879" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280c7-bdb8-4b91-9edb-46df950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327888" ,
"uuid" : "5b9280d0-1874-4711-87ed-4299950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327888" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280d0-a204-43f9-b463-405d950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libgcc_s_sjlj-1.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327889" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280d1-a424-494c-93d6-4600950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327899" ,
"uuid" : "5b9280db-dfe0-41f0-9f42-44c7950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327899" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280db-0780-49ba-94b9-46c8950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\Microsoft\\660F187B8C71F670E76F70C7EDAFE4E7\\Tor\\libevent_extra-2-0-5.dll"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327900" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280dc-001c-4fa5-a889-4301950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "11" ,
"timestamp" : "1536327914" ,
"uuid" : "5b9280ea-e38c-41f1-8453-47b9950d210f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1536327914" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5b9280ea-0530-490d-bdf6-4b03950d210f" ,
"value" : "%UserProfile%\\AppData\\Roaming\\tor\\lock"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1536327917" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5b9280ed-a180-4fc9-80c4-46f6950d210f" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1536755335" ,
"uuid" : "f04b2156-46a7-4ffe-a470-b0d0ac7ef70e" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1536755338" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "bff3beea-deb5-49b8-a2be-334a5603e8ac" ,
"value" : "2018-08-28T00:23:39"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1536755342" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "505d7436-7769-4279-9d1a-b95934d0edc8" ,
"value" : "https://www.virustotal.com/file/b81c7079fd573304bb8fb177898dfbf6acdb16ff32632dfa9ebb9c3da2a59864/analysis/1535415819/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1536755345" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "00c8704b-05af-405d-a5ce-13f8167612d4" ,
"value" : "45/67"
}
]
}
]
}
}